@toa.io/extensions.exposition 1.0.0-alpha.19 → 1.0.0-alpha.190

package/features/steps/IDP.ts

@@ -0,0 +1,334 @@
+import { once } from 'node:events'
+import * as crypto from 'node:crypto'
+import * as http from 'node:http'
+import * as assert from 'node:assert'
+import * as util from 'node:util'
+import { buffer } from 'node:stream/consumers'
+import { binding, given, afterAll } from 'cucumber-tsflow'
+import { Captures } from './Captures'
+
+import type { AddressInfo } from 'node:net'
+
+@binding([Captures])
+export class IDP {
+  private static server?: http.Server
+  private static privateKey?: crypto.KeyObject
+  private static issuer?: string
+  private static authCodes = new Map<string, AuthCode>()
+  private readonly captures: Captures
+
+  public constructor (captures: Captures) {
+    this.captures = captures
+  }
+
+  @afterAll()
+  public static async stop (): Promise<void> {
+    if (this.server instanceof http.Server) {
+      this.server.close()
+      await once(this.server, 'close')
+    }
+  }
+
+  @given(/local IDP is running/i)
+  public async start (): Promise<void> {
+    if (IDP.server instanceof http.Server) return
+
+    // creating the key
+    const {
+      publicKey,
+      privateKey
+    } = await util.promisify(crypto.generateKeyPair)('rsa', {
+      modulusLength: 2048
+    })
+
+    IDP.privateKey = privateKey
+
+    const jwk = JSON.stringify({
+      keys: [{
+        use: 'sig',
+        alg: 'RS256',
+        ...publicKey.export({ format: 'jwk' })
+      }]
+    })
+
+    const JWK_ENDPOINT = '/.well-known/jwks'
+    const TOKEN_ENDPOINT = '/token'
+    const AUTH_ENDPOINT = '/authorize'
+
+    const server = http.createServer(async (request, response) => {
+      switch (request.url) {
+        case JWK_ENDPOINT:
+          response.writeHead(200, {
+            'Content-Type': 'application/json',
+            'Content-Length': jwk.length,
+            'Cache-Control': 'no-cache, no-store, must-revalidate',
+            Pragma: 'no-cache',
+            Expires: '0'
+          })
+          response.end(jwk)
+          break
+
+        case '/.well-known/openid-configuration': {
+          const openIdConfiguration = JSON.stringify({
+            issuer: IDP.issuer,
+            jwks_uri: IDP.issuer + JWK_ENDPOINT,
+            authorization_endpoint: IDP.issuer + AUTH_ENDPOINT,
+            token_endpoint: IDP.issuer + TOKEN_ENDPOINT,
+            response_types_supported: ['id_token', 'code'],
+            grant_types_supported: ['authorization_code'],
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: ['RS256'],
+            scopes_supported: ['openid', 'email', 'profile']
+          })
+
+          response.writeHead(200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+            'Content-Length': openIdConfiguration.length
+          })
+
+          response.end(openIdConfiguration)
+        }
+
+          break
+
+        case TOKEN_ENDPOINT: {
+          if (request.method !== 'POST') {
+            response.writeHead(405, { 'Content-Type': 'text/plain' })
+            response.end('Method not allowed')
+
+            return
+          }
+
+          const buf = await buffer(request)
+          const body = buf.toString('utf8')
+
+          const params = new URLSearchParams(body)
+          const grantType = params.get('grant_type')!
+          const code = params.get('code')!
+          const redirectUri = params.get('redirect_uri')!
+          const clientId = params.get('client_id')!
+
+          if (grantType !== 'authorization_code' || !code || !clientId) {
+            response.writeHead(400, { 'Content-Type': 'application/json' })
+            response.end(JSON.stringify({ error: 'invalid_request' }))
+          }
+
+          const codeData = IDP.authCodes.get(code)
+
+          if (!codeData ||
+            codeData.expiresAt < Date.now() ||
+            codeData.clientId !== clientId ||
+            (redirectUri && codeData.redirectUri !== redirectUri)) {
+            response.writeHead(400, { 'Content-Type': 'application/json' })
+            response.end(JSON.stringify({ error: 'invalid_grant' }))
+
+            return
+          }
+
+          const accessToken = crypto.randomBytes(32).toString('hex')
+          const idToken = this.generateIdToken(codeData.sub, codeData.email, clientId)
+
+          IDP.authCodes.delete(code)
+
+          response
+            .writeHead(200, { 'Content-Type': 'application/json' })
+            .end(JSON.stringify({
+              access_token: accessToken,
+              token_type: 'Bearer',
+              id_token: idToken,
+              expires_in: 3600
+            }))
+        }
+
+          break
+
+        default:
+          response.writeHead(404, 'Not found')
+          response.end()
+      }
+    })
+
+    server.listen(44444, 'localhost')
+    await once(server, 'listening')
+
+    const address = server.address() as AddressInfo
+
+    console.log('IdP is listening on %s:%s', address.address, address.port)
+    IDP.server = server
+    IDP.issuer = `http://localhost:${address.port}`
+  }
+
+  @given('the IDP token for {word} is issued')
+  public async issueToken (user: string): Promise<void> {
+    assert.ok(IDP.privateKey, 'IdP private key is not available')
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg: 'RS256'
+      },
+      {
+        iss: IDP.issuer,
+        sub: user,
+        aud: 'test',
+        email: user + '@test.local',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createSign('RSA-SHA256').end(jwt).sign(IDP.privateKey, 'base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set(`${user}.id_token`, idToken)
+  }
+
+  @given('the IDP random token is issued')
+  public async issueNewToken (): Promise<void> {
+    assert.ok(IDP.privateKey, 'IdP private key is not available')
+
+    const sub = Math.random().toString(36).substring(7)
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg: 'RS256'
+      },
+      {
+        iss: IDP.issuer,
+        sub,
+        aud: 'test',
+        email: sub + '@test.local',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createSign('RSA-SHA256').end(jwt).sign(IDP.privateKey, 'base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set('random.sub', sub)
+    this.captures.set('random.email', sub + '@test.local')
+    this.captures.set('random.id_token', idToken)
+  }
+
+  @given('the IDP {word} token for {word} is issued with following secret:')
+  public async issueSymmetricToken (alg: string, user: string, secret: string): Promise<void> {
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg
+      },
+      {
+        iss: IDP.issuer,
+        sub: user,
+        aud: 'test',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createHmac(alg.replace(/^HS(\d{3})$/, 'sha$1'), secret)
+      .update(jwt)
+      .digest('base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set(`${user}.id_token`, idToken)
+  }
+
+  @given('ID token with jti is issued for {word}')
+  public async issueTokenWithJti (user: string): Promise<void> {
+    assert.ok(IDP.privateKey, 'IdP private key is not available')
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg: 'RS256'
+      },
+      {
+        iss: IDP.issuer,
+        sub: user,
+        aud: 'test',
+        email: user + '@test.local',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000),
+        jti: crypto.randomUUID()
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createSign('RSA-SHA256').end(jwt).sign(IDP.privateKey, 'base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set(`${user}.id_token`, idToken)
+  }
+
+  @given('auth code for {word} is issued for {word}')
+  public async issueAuthCode (user: string, redirectUri: string): Promise<void> {
+    const code = crypto.randomBytes(16).toString('hex')
+    const email = user + '@test.local'
+    const clientId = 'nex'
+
+    IDP.authCodes.set(code, {
+      code,
+      sub: user,
+      email,
+      clientId,
+      redirectUri,
+      expiresAt: Date.now() + 60 * 1000
+    })
+
+    const json = JSON.stringify({ code, iss: IDP.issuer, for: redirectUri })
+    const base64 = Buffer.from(json).toString('base64')
+
+    this.captures.set(`${user}.auth_code`, code)
+    this.captures.set(`${user}.code_credentials`, base64)
+  }
+
+  private generateIdToken (sub: string, email: string, clientId: string): string {
+    assert.ok(IDP.privateKey, 'IdP private key is not available')
+    assert.ok(IDP.issuer, 'IdP issuer is not available')
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg: 'RS256'
+      },
+      {
+        iss: IDP.issuer,
+        sub,
+        aud: clientId,
+        email,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createSign('RSA-SHA256').end(jwt).sign(IDP.privateKey, 'base64url')
+
+    return `${jwt}.${signature}`
+  }
+}
+
+interface AuthCode {
+  code: string
+  sub: string
+  email: string
+  clientId: string
+  redirectUri: string
+  expiresAt: number
+}

package/features/steps/Identity.ts

@@ -0,0 +1,51 @@
+import { binding, given } from 'cucumber-tsflow'
+import * as http from '@toa.io/agent'
+import { Parameters } from './Parameters'
+import { Captures } from './Captures'
+import { Gateway } from './Gateway'
+
+@binding([Gateway, Parameters, Captures])
+export class Identity {
+  private readonly gateway: Gateway
+  private readonly http: http.Agent
+  private readonly variables: Captures
+
+  public constructor (gateway: Gateway, parameters: Parameters, captures: Captures) {
+    this.gateway = gateway
+    this.http = new http.Agent(parameters.origin, captures)
+    this.variables = captures
+  }
+
+  @given('transient identity {word}')
+  public async transient (as: string): Promise<Principal> {
+    await this.gateway.start()
+
+    await this.http.request(`
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+    `)
+
+    this.http.responseIncludes(`
+      201 Created
+      authorization: Token \${{ ${as}.token }}
+
+      id: \${{ ${as}.id }}
+    `)
+
+    const id = this.variables.get(as + '.id')!
+    const token = this.variables.get(as + '.token')!
+
+    return { id, token }
+  }
+
+  @given('transient identity')
+  public async anonymous (): Promise<Principal> {
+    return await this.transient('identity')
+  }
+}
+
+export interface Principal {
+  id: string
+  token: string
+}

package/features/steps/OTP.ts

@@ -0,0 +1,39 @@
+import * as assert from 'node:assert'
+import { binding, given } from 'cucumber-tsflow'
+import * as boot from '@toa.io/boot'
+import { Locator, type Remote } from '@toa.io/core'
+import { Captures } from './Captures'
+
+@binding([Captures])
+export class OTP {
+  private captures: Captures
+  private otp: Remote | null = null
+
+  public constructor (captures: Captures) {
+    this.captures = captures
+  }
+
+  @given('OTP for `{word}` in `{word}` authority is issued')
+  public async issue (username: string, authority: string): Promise<void> {
+    this.otp ??= await this.connect()
+
+    const reply = await this.otp.invoke('issue', {
+      input: {
+        username,
+        authority
+      }
+    })
+
+    assert.ok(typeof reply.code === 'string')
+
+    const credentials = btoa(`${username}:${reply.code}`)
+
+    this.captures.set(`${username}.otp`, credentials)
+  }
+
+  private async connect (): Promise<Remote> {
+    const locator = new Locator('otp', 'identity')
+
+    return await boot.remote(locator)
+  }
+}

package/features/steps/Parameters.ts

@@ -1,6 +1,11 @@
+import { join } from 'node:path'
+import * as dotenv from 'dotenv'
 import { setDefaultTimeout } from '@cucumber/cucumber'
+import { console } from 'openspan'
 import { encode } from '@toa.io/generic'
 
+dotenv.config({ path: join(__dirname, '.env') })
+
 export class Parameters {
   public readonly origin: string
 
@@ -9,13 +14,94 @@ export class Parameters {
   }
 }
 
-setDefaultTimeout(30 * 1000)
+setDefaultTimeout(60 * 1000)
+
+console.configure({ format: 'terminal' })
 
 process.env.TOA_DEV = '1'
 
 process.env.TOA_STORAGES = encode({
   octets: {
     provider: 'tmp',
-    directory: 'exposition'
+    directory: Math.random().toString(36).substring(2)
+  },
+  cloudinary: {
+    provider: 'cloudinary',
+    environment: process.env.CLOUDINARY_ENVIRONMENT ?? 'nope',
+    type: 'image',
+    prefix: 'toa-dev',
+    transformations: [
+      {
+        extension: 'icon',
+        transformation: [{
+          width: 48,
+          height: 48,
+          crop: 'fill'
+        }, {
+          border: '10px_solid_white'
+        }],
+        optional: true
+      },
+      {
+        extension: '(?<width>\\d*)x(?<height>\\d*)(z(?<zoom>\\d*))?',
+        transformation: {
+          width: '<width>',
+          height: '<height>',
+          zoom: '<zoom>',
+          crop: 'thumb',
+          gravity: 'face'
+        },
+        optional: true
+      },
+      {
+        extension: '\\[(?<width>\\d*)x(?<height>\\d*)\\](z(?<zoom>\\d+))?',
+        transformation: {
+          width: '<width>',
+          height: '<height>',
+          zoom: '<zoom>',
+          crop: 'fit'
+        },
+        optional: true
+      },
+      {
+        extension: '(?<format>jpeg|webp)',
+        transformation: {
+          fetch_format: '<format>'
+        },
+        optional: true
+      }
+    ]
+  },
+  cloudinary_video: {
+    provider: 'cloudinary',
+    environment: process.env.CLOUDINARY_ENVIRONMENT ?? 'nope',
+    type: 'video',
+    prefix: 'toa-dev',
+    eager: [
+      {
+        width: 200,
+        height: 200,
+        crop: 'fill'
+      }
+    ],
+    transformations: [
+      {
+        extension: '200x200',
+        transformation: {
+          width: 200,
+          height: 200,
+          crop: 'fill'
+        },
+        optional: true
+      },
+      {
+        extension: '(?<format>mp4|gif)',
+        transformation: {
+          quality: 'auto',
+          fetch_format: '<format>'
+        },
+        optional: true
+      }
+    ]
   }
 })

package/features/steps/Realtime.ts

@@ -0,0 +1,151 @@
+import { EventEmitter, once } from 'node:events'
+import * as assert from 'node:assert'
+import { after, binding, given, afterAll, then } from 'cucumber-tsflow'
+import { Factory } from '@toa.io/extensions.realtime'
+import * as boot from '@toa.io/boot'
+import { encode, match } from '@toa.io/generic'
+import { parse } from '@toa.io/yaml'
+import { Agent } from '@toa.io/agent'
+import { Parameters } from './Parameters'
+import { Gateway } from './Gateway'
+import { Captures } from './Captures'
+import type { Connector } from '@toa.io/core'
+
+@binding([Gateway, Parameters, Captures])
+export class Realtime {
+  private static instance: Connector | null = null
+  private readonly gateway: Gateway
+  private readonly agent: Agent
+  private readonly events = new EventEmitter()
+  private log: Record<string, unknown[]> = {}
+  private aborted = false
+
+  public constructor (gateway: Gateway, parameters: Parameters, captures: Captures) {
+    this.gateway = gateway
+    this.agent = new Agent(parameters.origin, captures)
+  }
+
+  @given('the Realtime is running with the following annotation:')
+  public async start (yaml: string): Promise<void> {
+    await Realtime.stop()
+
+    const annotation = parse(yaml)
+    const routes = []
+
+    for (const [event, property] of Object.entries(annotation))
+      routes.push({ event, properties: [property] })
+
+    process.env.TOA_REALTIME = encode(routes)
+
+    const factory = new Factory(boot)
+
+    Realtime.instance = factory.service()
+
+    void Realtime.instance.connect()
+  }
+
+  @given('the identity {word} is consuming realtime events')
+  public async connect (name: string): Promise<void> {
+    await this.gateway.start()
+
+    const id = await this.createIdentity(name)
+
+    const parts = await this.agent.parts(`
+      GET /realtime/streams/\${{ ${name}.id }}/ HTTP/1.1
+      authorization: Token \${{ ${name}.token }}
+      accept: application/json
+    `) as AsyncIterable<Uint8Array>
+
+    void this.consume(id, parts).catch((e) => {
+      if (!this.aborted)
+        console.debug('Consumption interrupted', e)
+    })
+  }
+
+  @then('the following event `{word}` is received by {word}:')
+  public async received (label: string, name: string, yaml: string): Promise<void> {
+    const id = this.agent.captures.get(`${name}.id`)
+    const tag = `${id}:${label}`
+    const expected = parse(yaml)
+
+    if (this.log[tag] !== undefined)
+      for (const data of this.log[tag])
+        // eslint-disable-next-line max-depth
+        if (match(data, expected))
+          return
+
+    const [event] = await once(this.events, tag)
+
+    assert.ok(match(event, expected), 'Event does not match')
+  }
+
+  @after()
+  public abort (): void {
+    this.aborted = true
+    this.agent.abort()
+    this.log = {}
+    this.events.removeAllListeners()
+  }
+
+  @afterAll()
+  public static async stop (): Promise<void> {
+    if (this.instance === null)
+      return
+
+    await this.instance.disconnect()
+
+    this.instance = null
+    process.env.TOA_REALTIME = undefined
+  }
+
+  private async createIdentity (name: string): Promise<string> {
+    const password = Math.random().toString(36).slice(2)
+    const username = name + Math.random().toString(36).slice(2)
+
+    await this.agent.request(`
+      POST /identity/basic/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      username: ${username}
+      password: ${password}
+    `)
+
+    this.agent.responseIncludes(`
+      201 Created
+    `)
+
+    const credentials = Buffer.from(`${username}:${password}`).toString('base64')
+
+    await this.agent.request(`
+      GET /identity/ HTTP/1.1
+      authorization: Basic ${credentials}
+      accept: application/yaml
+    `)
+
+    this.agent.responseIncludes(`
+      200 OK
+      authorization: Token \${{ ${name}.token }}
+
+      id: \${{ ${name}.id }}
+    `)
+
+    return this.agent.captures.get(`${name}.id`) as string
+  }
+
+  private async consume (id: string, parts: any): Promise<void> {
+    for await (const part of parts) {
+      const text = Buffer.from(part.body).toString('utf8')
+      const event = JSON.parse(text)
+
+      if (typeof event === 'string')
+        continue
+
+      const tag = `${id}:${event.event}`
+
+      this.events.emit(tag, event.data)
+      this.log[tag] ??= []
+      this.log[tag].push(event.data)
+    }
+  }
+}

package/features/steps/components/echo/manifest.toa.yaml

@@ -12,3 +12,15 @@ operations:
       identity:
         id: string
         roles: [string]
+  parameters:
+    input: &parameters
+      type: object
+      properties:
+        a:
+          type: string
+        b:
+          type: string
+    output: *parameters
+  echo:
+    input:
+      type: object

package/features/steps/components/echo/operations/echo.js

@@ -0,0 +1,7 @@
+'use strict'
+
+function computation (input) {
+  return input
+}
+
+exports.computation = computation