@toa.io/extensions.exposition 1.0.0-alpha.2 → 1.0.0-alpha.20

package/components/identity.federation/source/lib/jwt.test.ts

@@ -0,0 +1,56 @@
+/* eslint-disable max-len */
+/* eslint-disable @typescript-eslint/consistent-type-assertions */
+import { validateSignature, decodeJwt } from './jwt'
+
+describe('jwt', () => {
+  test('decode', () => {
+    const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
+
+    expect(header).toMatchObject({ alg: 'HS256' })
+    expect(payload).toEqual({ some: 'payload' })
+  })
+
+  test('symmetric pass', async () => {
+    // example from
+    // https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-hs256
+
+    await expect(validateSignature({
+      header: { alg: 'HS256', kid: 'k2' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9',
+      rawPayload: 'eyJzb21lIjoicGF5bG9hZCJ9',
+      signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
+      trusted: [
+        {
+          issuer: 'test-issuer',
+          secrets: {
+            HS256: {
+              k1: 'old-secret',
+              k2: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).resolves.toBeUndefined()
+  })
+
+  test('symmetric fail', async () => {
+    await expect(validateSignature({
+      header: { alg: 'HS256' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'header',
+      rawPayload: 'payload',
+      signature: 'signature',
+      trusted: [
+        {
+          issuer: 'test-issuer',
+          secrets: {
+            HS256: {
+              theKey: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
+  })
+})

package/components/identity.federation/source/{jwt.cts → lib/jwt.ts}

@@ -1,7 +1,7 @@
 import crypto from 'node:crypto'
 import * as assert from 'node:assert'
-import type { JwtHeader, IdToken } from './types'
-import { type TrustConfiguration } from './schemas'
+import { type JwtHeader, type IdToken } from '../types'
+import { type TrustConfiguration } from '../schemas'
 
 export function decodeJwt (token: string): {
   header: unknown
@@ -20,20 +20,19 @@ export function decodeJwt (token: string): {
 
 export function validateJwtHeader (header: unknown): asserts header is JwtHeader {
   assert.ok(header !== null && typeof header === 'object', 'Header is not an object')
-  assert.ok('typ' in header, 'Header is missing typ')
-  assert.equal(header.typ, 'JWT')
   assert.ok('alg' in header, 'Header is missing alg')
   assert.ok(typeof header.alg === 'string', 'Header alg is not a string')
-  assert.equal(header.alg, 'RS256', `We only validating RS256 id_tokens, but got ${header.alg}`)
+  assert.match(header.alg, /^RS256|HS\d{3}$/, `Unknown algorithm ${header.alg}`)
+  assert.ok(!('kid' in header) || typeof header.kid === 'string', 'kid must be a string if present')
 }
 
-export function validateJwtPayload (
-  payload: unknown,
-  trusted: TrustConfiguration[] = []
-): asserts payload is IdToken {
+export function validateJwtPayload (payload: unknown,
+  trusted: TrustConfiguration[] = [],
+  header: JwtHeader): asserts payload is IdToken {
   assert.ok(trusted.length > 0, 'No trusted issuers provided')
 
-  // full list of validations is at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+  // full list of validations is
+  // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
   assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object')
 
   assert.ok('iss' in payload, 'Payload is missing iss')
@@ -41,9 +40,24 @@ export function validateJwtPayload (
   assert.ok('aud' in payload, 'Payload is missing aud')
   assert.ok(typeof payload.aud === 'string', 'Payload aud is not a string')
 
-  assert.ok(trusted.some(config => config.issuer === payload.iss &&
-     (config.audience === undefined || config.audience.some(a => a === payload.aud))),
-     `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`)
+  const issuer = trusted.find((config) => config.issuer === payload.iss)
+
+  assert.ok(issuer !== undefined &&
+      (issuer.audience === undefined || issuer.audience.some((a) => a === payload.aud),
+      `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`))
+
+  if (header.alg.startsWith('HS')) {
+    const secrets = issuer.secrets
+
+    assert.ok(secrets, `We don't have known secrets for ${payload.iss}`)
+
+    const keys = secrets[header.alg]
+
+    assert.ok(keys, `No known secrets for ${header.alg}`)
+
+    if (typeof header.kid === 'string')
+      assert.ok(header.kid in keys, `No secret ${header.kid} provided for ${header.alg}`)
+  }
 
   assert.ok('sub' in payload, 'Payload is missing sub')
   assert.ok(typeof payload.sub === 'string', 'Payload sub is not a string')
@@ -68,20 +82,39 @@ export async function validateSignature ({
   payload: { iss },
   rawHeader,
   rawPayload,
-  signature
+  signature,
+  trusted = []
 }: {
   readonly header: JwtHeader
   rawHeader: string
   readonly payload: IdToken
   rawPayload: string
   signature: string
+  trusted?: TrustConfiguration[]
 }): Promise<void> {
+  if (alg.startsWith('HS')) {
+    // symmetric algorithm, issuer is validated at this point
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- `kid` is validated
+    const secrets = trusted.find((c) => c.issuer === iss)!.secrets![alg]
+    const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
+    const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
+    const hmac = crypto.createHmac(algorithm, secret)
+
+    hmac.update(rawHeader)
+    hmac.update('.')
+    hmac.update(rawPayload)
+    assert.strictEqual(signature, hmac.digest('base64url'), 'Signature does not match')
+
+    return
+  }
+
   // Getting issuer public keys
   const oidcRequest = await fetch(`${iss}/.well-known/openid-configuration`, {
     cache: 'default'
   })
 
-  assert.ok(oidcRequest.ok, `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
+  assert.ok(oidcRequest.ok,
+    `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
 
   const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
 
@@ -98,10 +131,8 @@ export async function validateSignature ({
 
   assert.ok(signingKeys.length > 0, 'No acceptable signing keys found')
 
-  assert.ok(
-    kid === undefined || signingKeys.length === 1,
-    'Signing key selection is not deterministic'
-  )
+  assert.ok(kid === undefined || signingKeys.length === 1,
+    'Signing key selection is not deterministic')
 
   const signingKey = kid === undefined ? signingKeys.find((k) => k.kid === kid) : keys[0]
 
@@ -114,29 +145,26 @@ export async function validateSignature ({
   verifyFunction.write(rawPayload)
   verifyFunction.end()
 
-  const signatureValid = verifyFunction.verify(
-    { format: 'jwk', key: signingKey },
+  const signatureValid = verifyFunction.verify({ format: 'jwk', key: signingKey },
     signature,
-    'base64url'
-  )
+    'base64url')
 
   assert.ok(signatureValid, 'Failed to validate signature')
 }
 
-export async function validateIdToken (
-  token: string,
-  trusted?: TrustConfiguration[]
-): Promise<IdToken> {
+export async function validateIdToken (token: string,
+  trusted?: TrustConfiguration[]): Promise<IdToken> {
   const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
 
   validateJwtHeader(header)
-  validateJwtPayload(payload, trusted)
+  validateJwtPayload(payload, trusted, header)
   await validateSignature({
     header,
     rawHeader,
     payload,
     rawPayload,
-    signature
+    signature,
+    trusted
   })
 
   return payload

package/components/identity.federation/source/schemas.ts

@@ -42,4 +42,20 @@ export interface TrustConfiguration {
    * @minItems 1
    */
   audience?: [string, ...string[]];
+  /**
+   * Symmetric encryption secrets
+   */
+  secrets?: {
+    /**
+     * This interface was referenced by `undefined`'s JSON-Schema definition
+     * via the `patternProperty` "^HS\d{3}$".
+     */
+    [k: string]: {
+      /**
+       * This interface was referenced by `undefined`'s JSON-Schema definition
+       * via the `patternProperty` "^\w+$".
+       */
+      [k: string]: string;
+    };
+  };
 }

package/components/identity.federation/source/types.ts

@@ -32,7 +32,7 @@ interface IdentityTokensRevokeInput {
 }
 
 export interface JwtHeader {
-  typ: string
+  typ?: string
   alg: string
   kid?: string
 }

package/components/identity.federation/tsconfig.json

@@ -1,9 +1,9 @@
 {
   "extends": "../../tsconfig.json",
   "compilerOptions": {
-    "outDir": "./operations",
+    "outDir": "./operations"
   },
   "include": [
     "source"
   ]
-}
+}

package/components/identity.roles/manifest.toa.yaml

@@ -4,14 +4,20 @@ name: roles
 entity:
   schema:
     identity*: string
-    role*: string
+    role*: /^[a-zA-Z0-9]{1,32}(:[a-zA-Z0-9]{1,32}){0,8}$/
+    grantor: string
+  unique:
+    role: [identity, role]
 
 operations:
-  transit:
+  grant:
     query: false
     input:
-      identity*: string
-      role*: string
+      identity*: .
+      role*: .
+      grantor:
+        id: string
+        roles: [string]
   list:
     output: [string]
   principal:
@@ -20,12 +26,19 @@ operations:
 
 receivers:
   identity.basic.principal: principal
+  identity.federation.principal: principal
 
 exposition:
   isolated: true
   /:identity:
     auth:role: system:identity:roles
-    POST: transit
+    POST:
+      io:output: [id, grantor]
+      auth:rule:
+        delegate: grantor
+        role: system:identity:roles:delegation
+      endpoint: grant
     GET:
+      io:output: true # array of strings
       auth:id: identity
       endpoint: list

package/components/identity.roles/operations/grant.d.ts

@@ -0,0 +1,10 @@
+import type { Entity } from './lib/Entity';
+export declare function transition(input: Input, object: Entity): Promise<Entity | Error>;
+export interface Input {
+    identity: string;
+    role: string;
+    grantor?: {
+        id: string;
+        roles: string[];
+    };
+}

package/components/identity.roles/operations/grant.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.transition = void 0;
+const error_value_1 = require("error-value");
+async function transition(input, object) {
+    if (input.grantor === undefined)
+        return Object.assign(object, input);
+    if (!within('system:identity:roles', input.grantor.roles) &&
+        !within(input.role, input.grantor.roles))
+        return ERR_OUT_OF_SCOPE;
+    object.role = input.role;
+    object.identity = input.identity;
+    object.grantor = input.grantor.id;
+    return object;
+}
+exports.transition = transition;
+function within(role, scopes) {
+    return scopes.some((scope) => role === scope || role.startsWith(scope + ':'));
+}
+const ERR_OUT_OF_SCOPE = (0, error_value_1.Err)('OUT_OF_SCOPE');
+//# sourceMappingURL=grant.js.map

package/components/identity.roles/operations/grant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../source/grant.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAG1B,KAAK,UAAU,UAAU,CAAE,KAAY,EAAE,MAAc;IAC5D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;QAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAErC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACvD,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxC,OAAO,gBAAgB,CAAA;IAEzB,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;IACxB,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;IAChC,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAA;IAEjC,OAAO,MAAM,CAAA;AACf,CAAC;AAbD,gCAaC;AAED,SAAS,MAAM,CAAE,IAAY,EAAE,MAAgB;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAA;AAC/E,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAA,iBAAG,EAAC,cAAc,CAAC,CAAA"}

package/components/identity.roles/operations/lib/Entity.d.ts

@@ -0,0 +1,5 @@
+export interface Entity {
+    identity: string;
+    role: string;
+    grantor?: string;
+}

package/components/identity.roles/operations/lib/Entity.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Entity.js.map

package/components/identity.roles/operations/lib/Entity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Entity.js","sourceRoot":"","sources":["../../source/lib/Entity.ts"],"names":[],"mappings":""}

package/components/identity.roles/operations/list.d.ts

@@ -1,5 +1,2 @@
+import type { Entity } from './lib/Entity';
 export declare function observation(_: unknown, objects: Entity[]): string[];
-interface Entity {
-    role: string;
-}
-export {};

package/components/identity.roles/operations/list.js.map

@@ -1 +1 @@
-{"version":3,"file":"list.js","sourceRoot":"","sources":["../source/list.ts"],"names":[],"mappings":";;;AAAA,SAAgB,WAAW,CAAE,CAAU,EAAE,OAAiB;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;AACxC,CAAC;AAFD,kCAEC"}
+{"version":3,"file":"list.js","sourceRoot":"","sources":["../source/list.ts"],"names":[],"mappings":";;;AAEA,SAAgB,WAAW,CAAE,CAAU,EAAE,OAAiB;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;AACxC,CAAC;AAFD,kCAEC"}

package/components/identity.roles/operations/principal.d.ts

@@ -1,15 +1,13 @@
-import { type Call } from '@toa.io/types';
+import type { Entity } from './lib/Entity';
+import type { Call } from '@toa.io/types';
+import type { Input as GrantInput } from './grant';
 export declare function effect(input: Identity, context: Context): Promise<void>;
 interface Identity {
     id: string;
 }
 export interface Context {
     local: {
-        transit: Call<void, TransitInput>;
+        grant: Call<Entity, GrantInput>;
     };
 }
-interface TransitInput {
-    identity: string;
-    role: string;
-}
 export {};

package/components/identity.roles/operations/principal.js

@@ -2,7 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.effect = void 0;
 async function effect(input, context) {
-    await context.local.transit({ input: { identity: input.id, role: 'system' } });
+    await context.local.grant({
+        input: {
+            identity: input.id,
+            role: 'system'
+        }
+    });
 }
 exports.effect = effect;
 //# sourceMappingURL=principal.js.map

package/components/identity.roles/operations/principal.js.map

@@ -1 +1 @@
-{"version":3,"file":"principal.js","sourceRoot":"","sources":["../source/principal.ts"],"names":[],"mappings":";;;AAEO,KAAK,UAAU,MAAM,CAAE,KAAe,EAAE,OAAgB;IAC7D,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAFD,wBAEC"}
+{"version":3,"file":"principal.js","sourceRoot":"","sources":["../source/principal.ts"],"names":[],"mappings":";;;AAIO,KAAK,UAAU,MAAM,CAAE,KAAe,EAAE,OAAgB;IAC7D,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC;QACxB,KAAK,EAAE;YACL,QAAQ,EAAE,KAAK,CAAC,EAAE;YAClB,IAAI,EAAE,QAAQ;SACf;KACF,CAAC,CAAA;AACJ,CAAC;AAPD,wBAOC"}