@toa.io/extensions.exposition 1.0.0-alpha.2 → 1.0.0-alpha.3

package/components/identity.federation/source/lib/jwt.test.ts

@@ -0,0 +1,56 @@
+/* eslint-disable max-len */
+/* eslint-disable @typescript-eslint/consistent-type-assertions */
+import { validateSignature, decodeJwt } from './jwt'
+
+describe('jwt', () => {
+  test('decode', () => {
+    const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
+
+    expect(header).toMatchObject({ alg: 'HS256' })
+    expect(payload).toEqual({ some: 'payload' })
+  })
+
+  test('symmetric pass', async () => {
+    // example from
+    // https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-hs256
+
+    await expect(validateSignature({
+      header: { alg: 'HS256', kid: 'k2' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9',
+      rawPayload: 'eyJzb21lIjoicGF5bG9hZCJ9',
+      signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
+      trusted: [
+        {
+          issuer: 'test-issuer',
+          secrets: {
+            HS256: {
+              k1: 'old-secret',
+              k2: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).resolves.toBeUndefined()
+  })
+
+  test('symmetric fail', async () => {
+    await expect(validateSignature({
+      header: { alg: 'HS256' },
+      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
+      rawHeader: 'header',
+      rawPayload: 'payload',
+      signature: 'signature',
+      trusted: [
+        {
+          issuer: 'test-issuer',
+          secrets: {
+            HS256: {
+              theKey: 'secret'
+            }
+          }
+        }
+      ]
+    } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
+  })
+})

package/components/identity.federation/source/{jwt.cts → lib/jwt.ts}

@@ -1,7 +1,7 @@
 import crypto from 'node:crypto'
 import * as assert from 'node:assert'
-import type { JwtHeader, IdToken } from './types'
-import { type TrustConfiguration } from './schemas'
+import { type JwtHeader, type IdToken } from '../types'
+import { type TrustConfiguration } from '../schemas'
 
 export function decodeJwt (token: string): {
   header: unknown
@@ -20,20 +20,19 @@ export function decodeJwt (token: string): {
 
 export function validateJwtHeader (header: unknown): asserts header is JwtHeader {
   assert.ok(header !== null && typeof header === 'object', 'Header is not an object')
-  assert.ok('typ' in header, 'Header is missing typ')
-  assert.equal(header.typ, 'JWT')
   assert.ok('alg' in header, 'Header is missing alg')
   assert.ok(typeof header.alg === 'string', 'Header alg is not a string')
-  assert.equal(header.alg, 'RS256', `We only validating RS256 id_tokens, but got ${header.alg}`)
+  assert.match(header.alg, /^RS256|HS\d{3}$/, `Unknown algorithm ${header.alg}`)
+  assert.ok(!('kid' in header) || typeof header.kid === 'string', 'kid must be a string if present')
 }
 
-export function validateJwtPayload (
-  payload: unknown,
-  trusted: TrustConfiguration[] = []
-): asserts payload is IdToken {
+export function validateJwtPayload (payload: unknown,
+  trusted: TrustConfiguration[] = [],
+  header: JwtHeader): asserts payload is IdToken {
   assert.ok(trusted.length > 0, 'No trusted issuers provided')
 
-  // full list of validations is at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+  // full list of validations is
+  // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
   assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object')
 
   assert.ok('iss' in payload, 'Payload is missing iss')
@@ -41,9 +40,24 @@ export function validateJwtPayload (
   assert.ok('aud' in payload, 'Payload is missing aud')
   assert.ok(typeof payload.aud === 'string', 'Payload aud is not a string')
 
-  assert.ok(trusted.some(config => config.issuer === payload.iss &&
-     (config.audience === undefined || config.audience.some(a => a === payload.aud))),
-     `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`)
+  const issuer = trusted.find((config) => config.issuer === payload.iss)
+
+  assert.ok(issuer !== undefined &&
+      (issuer.audience === undefined || issuer.audience.some((a) => a === payload.aud),
+      `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`))
+
+  if (header.alg.startsWith('HS')) {
+    const secrets = issuer.secrets
+
+    assert.ok(secrets, `We don't have known secrets for ${payload.iss}`)
+
+    const keys = secrets[header.alg]
+
+    assert.ok(keys, `No known secrets for ${header.alg}`)
+
+    if (typeof header.kid === 'string')
+      assert.ok(header.kid in keys, `No secret ${header.kid} provided for ${header.alg}`)
+  }
 
   assert.ok('sub' in payload, 'Payload is missing sub')
   assert.ok(typeof payload.sub === 'string', 'Payload sub is not a string')
@@ -68,20 +82,39 @@ export async function validateSignature ({
   payload: { iss },
   rawHeader,
   rawPayload,
-  signature
+  signature,
+  trusted = []
 }: {
   readonly header: JwtHeader
   rawHeader: string
   readonly payload: IdToken
   rawPayload: string
   signature: string
+  trusted?: TrustConfiguration[]
 }): Promise<void> {
+  if (alg.startsWith('HS')) {
+    // symmetric algorithm, issuer is validated at this point
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- `kid` is validated
+    const secrets = trusted.find((c) => c.issuer === iss)!.secrets![alg]
+    const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
+    const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
+    const hmac = crypto.createHmac(algorithm, secret)
+
+    hmac.update(rawHeader)
+    hmac.update('.')
+    hmac.update(rawPayload)
+    assert.strictEqual(signature, hmac.digest('base64url'), 'Signature does not match')
+
+    return
+  }
+
   // Getting issuer public keys
   const oidcRequest = await fetch(`${iss}/.well-known/openid-configuration`, {
     cache: 'default'
   })
 
-  assert.ok(oidcRequest.ok, `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
+  assert.ok(oidcRequest.ok,
+    `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
 
   const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
 
@@ -98,10 +131,8 @@ export async function validateSignature ({
 
   assert.ok(signingKeys.length > 0, 'No acceptable signing keys found')
 
-  assert.ok(
-    kid === undefined || signingKeys.length === 1,
-    'Signing key selection is not deterministic'
-  )
+  assert.ok(kid === undefined || signingKeys.length === 1,
+    'Signing key selection is not deterministic')
 
   const signingKey = kid === undefined ? signingKeys.find((k) => k.kid === kid) : keys[0]
 
@@ -114,29 +145,26 @@ export async function validateSignature ({
   verifyFunction.write(rawPayload)
   verifyFunction.end()
 
-  const signatureValid = verifyFunction.verify(
-    { format: 'jwk', key: signingKey },
+  const signatureValid = verifyFunction.verify({ format: 'jwk', key: signingKey },
     signature,
-    'base64url'
-  )
+    'base64url')
 
   assert.ok(signatureValid, 'Failed to validate signature')
 }
 
-export async function validateIdToken (
-  token: string,
-  trusted?: TrustConfiguration[]
-): Promise<IdToken> {
+export async function validateIdToken (token: string,
+  trusted?: TrustConfiguration[]): Promise<IdToken> {
   const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
 
   validateJwtHeader(header)
-  validateJwtPayload(payload, trusted)
+  validateJwtPayload(payload, trusted, header)
   await validateSignature({
     header,
     rawHeader,
     payload,
     rawPayload,
-    signature
+    signature,
+    trusted
   })
 
   return payload

package/components/identity.federation/source/schemas.ts

@@ -42,4 +42,20 @@ export interface TrustConfiguration {
    * @minItems 1
    */
   audience?: [string, ...string[]];
+  /**
+   * Symmetric encryption secrets
+   */
+  secrets?: {
+    /**
+     * This interface was referenced by `undefined`'s JSON-Schema definition
+     * via the `patternProperty` "^HS\d{3}$".
+     */
+    [k: string]: {
+      /**
+       * This interface was referenced by `undefined`'s JSON-Schema definition
+       * via the `patternProperty` "^\w+$".
+       */
+      [k: string]: string;
+    };
+  };
 }

package/components/identity.federation/source/types.ts

@@ -32,7 +32,7 @@ interface IdentityTokensRevokeInput {
 }
 
 export interface JwtHeader {
-  typ: string
+  typ?: string
   alg: string
   kid?: string
 }

package/documentation/components.md

@@ -100,6 +100,8 @@ The configuration schema alongside default values is described in the [component
 
 No federated tokens are accepted by default until at least one entry is added to the `trust` configuration.
 
+Toa supports either asymmetric RS256 or symmetric HS256 / HS384 / HS512 tokens with pre-shared secrets.
+
 ```yaml
 # context.toa.yaml
 
@@ -110,6 +112,11 @@ configuration:
         audience:
           - https://github.com/tinovyatkin
           - https://github.com/temich
+
+      - issuer: some.private.issuer
+        secrets:
+          HS256:
+            k1: <secret-to-be-used-for-hs256>
 ```
 
 ## Stateless tokens

package/documentation/identity.md

@@ -80,7 +80,14 @@ configuration:
       - issuer: https://accounts.google.com
         audience:
           - <GOOGLE_CLIENT_ID>
+
       - issuer: https://appleid.apple.com
+
+      - issuer: private.entity
+        secrets:
+          HS384:
+            key0: <THE-SECRET-STRING-FOR-HS384>
+            key1: <THE-SECRET-STRING-FOR-HS384> # selected by `kid` in the JWT header
 ```
 
 ## Identity inception

package/documentation/octets.md

@@ -209,6 +209,18 @@ under the request path.
 
 The request body must be a list of entry identifiers.
 
+## `octets:workflow`
+
+Execute a [workflow](#workflows) on the entry under the request path.
+
+```yaml
+/images:
+  /*:
+    DELETE:
+      octets:workflow:
+        archive: images.archive
+```
+
 ## Workflows
 
 A workflow is a list of endpoints to be called.

package/features/identity.federation.feature

@@ -54,6 +54,36 @@ Feature: Identity Federation
       id: ${{ User.id }}
       """
 
+  Scenario: Getting identity for a user with symmetric tokens
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+          secrets:
+            HS384:
+              k1: the-secret
+      """
+    And the IDP HS384 token for GoodUser is issued with following secret:
+      """
+      the-secret
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ GoodUser.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ GoodUser.token }}
+
+      id: ${{ GoodUser.id }}
+      scheme: bearer
+      """
+
   Scenario: Creating an Identity using inception with existing credentials
     Given the `identity.federation` configuration:
       """yaml
@@ -67,7 +97,7 @@ Feature: Identity Federation
           anonymous: true
           POST:
             incept: id
-            endpoint: transit
+            endpoint: create
       """
     And the IDP token for Bill is issued
     When the following request is received:

package/features/octets.workflows.feature

@@ -246,3 +246,41 @@ Feature: Octets storage workflows
       concat: hello world
       --cut--
       """
+
+  Scenario: Executing a workflow with `octets:workflow`
+    Given the `octets.tester` is running
+    And the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        octets:context: octets
+        POST:
+          octets:store: ~
+        /*:
+          DELETE:
+            octets:workflow:
+              echo: octets.tester.echo
+      """
+    When the stream of `lenna.ascii` is received with the following headers:
+      """
+      POST / HTTP/1.1
+      content-type: application/octet-stream
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      """
+      DELETE /10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      202 Accepted
+      content-type: multipart/yaml; boundary=cut
+
+      --cut
+      echo: 10cf16b458f759e0d617f2f3d83599ff
+      --cut--
+      """

package/features/steps/IdP.ts

@@ -117,4 +117,33 @@ export class IdP {
 
     this.captures.set(`${user}.id_token`, idToken)
   }
+
+  @given('the IDP {word} token for {word} is issued with following secret:')
+  public async issueSymmetricToken (alg: string, user: string, secret: string): Promise<void> {
+    console.log('Sym token for %s with secret "%s"', user, secret)
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg
+      },
+      {
+        iss: IdP.issuer,
+        sub: `${user}-mock-id`,
+        aud: 'test',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createHmac(alg.replace(/^HS(\d{3})$/, 'sha$1'), secret)
+      .update(jwt)
+      .digest('base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set(`${user}.id_token`, idToken)
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "1.0.0-alpha.2",
+  "version": "1.0.0-alpha.3",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -17,10 +17,10 @@
     "access": "public"
   },
   "dependencies": {
-    "@toa.io/core": "1.0.0-alpha.2",
-    "@toa.io/generic": "1.0.0-alpha.2",
-    "@toa.io/schemas": "1.0.0-alpha.2",
-    "@toa.io/streams": "1.0.0-alpha.2",
+    "@toa.io/core": "1.0.0-alpha.3",
+    "@toa.io/generic": "1.0.0-alpha.3",
+    "@toa.io/schemas": "1.0.0-alpha.3",
+    "@toa.io/streams": "1.0.0-alpha.3",
     "bcryptjs": "2.4.3",
     "error-value": "0.3.0",
     "express": "4.18.2",
@@ -45,12 +45,12 @@
     "features": "cucumber-js"
   },
   "devDependencies": {
-    "@toa.io/agent": "1.0.0-alpha.2",
-    "@toa.io/extensions.storages": "1.0.0-alpha.2",
+    "@toa.io/agent": "1.0.0-alpha.3",
+    "@toa.io/extensions.storages": "1.0.0-alpha.3",
     "@types/bcryptjs": "2.4.3",
     "@types/cors": "2.8.13",
     "@types/express": "4.17.17",
     "@types/negotiator": "0.6.1"
   },
-  "gitHead": "7688e6e980a65c82ac2e459be4e355eebf406cd0"
+  "gitHead": "e36ac7871fc14d15863aaf8f9bbdeace8bdfa9f0"
 }

package/schemas/octets/workflow.cos.yaml

@@ -0,0 +1,12 @@
+definitions:
+  unit:
+    type: object
+    patternProperties:
+      ^[a-zA-Z0-9_]+$:
+        type: string
+
+oneOf:
+  - $ref: '#/definitions/unit'
+  - type: array
+    items:
+      $ref: '#/definitions/unit'

package/source/directives/octets/Delete.ts

@@ -1,9 +1,9 @@
 import { Readable } from 'stream'
 import { NotFound } from '../../HTTP'
 import * as schemas from './schemas'
-import { Workflow } from './workflow'
+import { Workflow } from './workflows'
 import type { Parameter } from '../../RTD'
-import type { Unit } from './workflow'
+import type { Unit } from './workflows'
 import type { Maybe } from '@toa.io/types'
 import type { Component } from '@toa.io/core'
 import type { Output } from '../../io'

package/source/directives/octets/Octets.ts

@@ -5,6 +5,7 @@ import { Fetch } from './Fetch'
 import { List } from './List'
 import { Delete } from './Delete'
 import { Permute } from './Permute'
+import { WorkflowDirective } from './Workflow'
 import type { Output } from '../../io'
 import type { Component } from '@toa.io/core'
 import type { Remotes } from '../../Remotes'
@@ -63,7 +64,8 @@ const DIRECTIVES: Record<string, Constructor> = {
   fetch: Fetch,
   list: List,
   delete: Delete,
-  permute: Permute
+  permute: Permute,
+  workflow: WorkflowDirective
 }
 
 type Constructor = new (value: any, discovery: Promise<Component>, remotes: Remotes) => Directive

package/source/directives/octets/Store.ts

@@ -1,10 +1,12 @@
+import { PassThrough } from 'node:stream'
 import { match } from 'matchacho'
 import { BadRequest, UnsupportedMediaType } from '../../HTTP'
 import { cors } from '../cors'
 import * as schemas from './schemas'
-import { Workflow } from './workflow'
+import { Workflow } from './workflows'
+import type { Readable } from 'stream'
 import type { Parameter } from '../../RTD'
-import type { Unit } from './workflow'
+import type { Unit } from './workflows'
 import type { Entry } from '@toa.io/extensions.storages'
 import type { Remotes } from '../../Remotes'
 import type { ErrorType } from 'error-value'
@@ -60,11 +62,23 @@ export class Store implements Directive {
   private reply (request: Input, storage: string, entry: Entry, parameters: Parameter[]): Output {
     const body = this.workflow === undefined
       ? entry
-      : this.workflow.execute(request, storage, entry, parameters)
+      : this.execute(request, storage, entry, parameters)
 
     return { body }
   }
 
+  // eslint-disable-next-line max-params
+  private execute
+  (request: Input, storage: string, entry: Entry, parameters: Parameter[]): Readable {
+    const stream = new PassThrough({ objectMode: true })
+
+    stream.push(entry)
+
+    this.workflow!.execute(request, storage, entry, parameters).pipe(stream)
+
+    return stream
+  }
+
   private throw (error: ErrorType): never {
     throw match(error.code,
       'NOT_ACCEPTABLE', () => new UnsupportedMediaType(),

package/source/directives/octets/Workflow.ts

@@ -0,0 +1,41 @@
+import { NotFound } from '../../HTTP'
+import * as schemas from './schemas'
+import { Workflow } from './workflows'
+import type { Unit } from './workflows'
+import type { Directive, Input } from './types'
+import type { Component } from '@toa.io/core'
+import type { Output } from '../../io'
+import type { Remotes } from '../../Remotes'
+import type { Maybe } from '@toa.io/types'
+import type { Entry } from '@toa.io/extensions.storages'
+import type { Parameter } from '../../RTD'
+
+export class WorkflowDirective implements Directive {
+  public readonly targeted = true
+
+  private readonly workflow: Workflow
+  private readonly discovery: Promise<Component>
+  private storage: Component | null = null
+
+  public constructor (units: Unit[] | Unit, discovery: Promise<Component>, remotes: Remotes) {
+    schemas.workflow.validate(units)
+
+    this.workflow = new Workflow(units, remotes)
+    this.discovery = discovery
+  }
+
+  public async apply (storage: string, request: Input, parameters: Parameter[]): Promise<Output> {
+    this.storage ??= await this.discovery
+
+    const entry = await this.storage.invoke<Maybe<Entry>>('get',
+      { input: { storage, path: request.url } })
+
+    if (entry instanceof Error)
+      throw new NotFound()
+
+    return {
+      status: 202,
+      body: this.workflow.execute(request, storage, entry, parameters)
+    }
+  }
+}

package/source/directives/octets/schemas.test.ts

@@ -0,0 +1,21 @@
+import * as schemas from './schemas'
+
+describe('workflow', () => {
+  const ok = [
+    { echo: 'hello world' },
+    [{ echo: 'hello world' }, { ok: 'ok' }]
+  ]
+
+  const oh = [
+    { echo: [] },
+    { echo: 'hello world', ok: { not: 'ok' } }
+  ]
+
+  it.each(ok)('should be valid', (workflow) => {
+    expect(() => schemas.workflow.validate(workflow)).not.toThrow()
+  })
+
+  it.each(oh)('should not be valid', (workflow) => {
+    expect(() => schemas.workflow.validate(workflow)).toThrow()
+  })
+})

package/source/directives/octets/schemas.ts

@@ -5,6 +5,7 @@ import type { Permissions as ListPermissions } from './List'
 import type { Options as StoreOptions } from './Store'
 import type { Options as DeleteOptions } from './Delete'
 import type { Schema } from '@toa.io/schemas'
+import type { Unit } from './workflows'
 
 const path = resolve(__dirname, '../../../schemas/octets')
 const namespace = schemas.namespace(path)
@@ -15,3 +16,4 @@ export const fetch: Schema<FetchPermissions | null> = namespace.schema('fetch')
 export const remove: Schema<DeleteOptions | null> = namespace.schema('delete')
 export const list: Schema<ListPermissions | null> = namespace.schema('list')
 export const permute: Schema<null> = namespace.schema('permute')
+export const workflow: Schema<Unit[] | Unit> = namespace.schema('workflow')

package/source/directives/octets/{workflow → workflows}/Execution.ts

@@ -27,8 +27,6 @@ export class Execution extends Readable {
   }
 
   private async run (): Promise<void> {
-    this.push(this.context.entry)
-
     for (const unit of this.units) {
       await this.execute(unit)
 

package/transpiled/directives/octets/Delete.d.ts

@@ -1,5 +1,5 @@
 import type { Parameter } from '../../RTD';
-import type { Unit } from './workflow';
+import type { Unit } from './workflows';
 import type { Component } from '@toa.io/core';
 import type { Output } from '../../io';
 import type { Directive, Input } from './types';

package/transpiled/directives/octets/Delete.js

@@ -27,7 +27,7 @@ exports.Delete = void 0;
 const stream_1 = require("stream");
 const HTTP_1 = require("../../HTTP");
 const schemas = __importStar(require("./schemas"));
-const workflow_1 = require("./workflow");
+const workflows_1 = require("./workflows");
 class Delete {
     targeted = true;
     workflow;
@@ -36,7 +36,7 @@ class Delete {
     constructor(options, discovery, remotes) {
         schemas.remove.validate(options);
         if (options?.workflow !== undefined)
-            this.workflow = new workflow_1.Workflow(options.workflow, remotes);
+            this.workflow = new workflows_1.Workflow(options.workflow, remotes);
         this.discovery = discovery;
     }
     async apply(storage, request, parameters) {