@toa.io/extensions.exposition 1.0.0-alpha.4 → 1.0.0-alpha.40

package/source/RTD/Node.ts

@@ -1,20 +1,15 @@
 import { type Route } from './Route'
 import { type Methods } from './Method'
 import { type Match, type Parameter } from './Match'
-import { type Directives } from './Directives'
-import { type Endpoint } from './Endpoint'
 
-export class Node<
-  TEndpoint extends Endpoint<TEndpoint> = any,
-  TDirectives extends Directives<TDirectives> = any
-> {
+export class Node {
   public intermediate: boolean
-  public methods: Methods<TEndpoint, TDirectives>
+  public methods: Methods
   private readonly protected: boolean
   private routes: Route[]
 
   public constructor
-  (routes: Route[], methods: Methods<TEndpoint, TDirectives>, properties: Properties) {
+  (routes: Route[], methods: Methods, properties: Properties) {
     this.routes = routes
     this.methods = methods
     this.protected = properties.protected
@@ -34,26 +29,30 @@ export class Node<
     return null
   }
 
-  public merge (node: Node<TEndpoint, TDirectives>): void {
+  public merge (node: Node): void {
     this.intermediate = node.intermediate
 
-    if (!this.protected) this.replace(node)
-    else this.append(node)
+    if (!this.protected)
+      this.replace(node)
+    else
+      this.append(node)
 
     this.sort()
   }
 
-  private replace (node: Node<TEndpoint, TDirectives>): void {
+  private replace (node: Node): void {
     const methods = Object.values(this.methods)
 
     this.routes = node.routes
     this.methods = node.methods
 
     for (const method of methods)
-      void method.close() // race condition is really unlikely
+      void method.close()
+
+    // race condition is really unlikely
   }
 
-  private append (node: Node<TEndpoint, TDirectives>): void {
+  private append (node: Node): void {
     for (const route of node.routes)
       this.mergeRoute(route)
 

package/source/RTD/Tree.ts

@@ -1,32 +1,32 @@
-import { type Node } from './Node'
 import { createNode } from './factory'
 import { fragment } from './segment'
-import { type Match } from './Match'
-import { type Context } from './Context'
-import { type Directives, type DirectivesFactory } from './Directives'
-import { type Endpoint, type EndpointsFactory } from './Endpoint'
+import type { Node } from './Node'
+import type { Match } from './Match'
+import type { Context } from './Context'
+import type { DirectiveFactory } from './Directives'
+import type { EndpointsFactory } from './Endpoint'
 import type * as syntax from './syntax'
 
-export class Tree<
-  TEndpoint extends Endpoint<TEndpoint> = any,
-  TDirectives extends Directives<TDirectives> = any
-> {
+export class Tree {
   private readonly root: syntax.Node
-  private readonly trunk: Node<TEndpoint, TDirectives>
-  private readonly endpoints: EndpointsFactory<TEndpoint>
-  private readonly directives: DirectivesFactory
+  private readonly trunk: Node
+  private readonly endpoints: EndpointsFactory
+  private readonly directives: DirectiveFactory
 
   public constructor
-  (node: syntax.Node, endpoints: EndpointsFactory, directives: DirectivesFactory) {
+  (node: syntax.Node, endpoints: EndpointsFactory, directives: DirectiveFactory) {
     this.endpoints = endpoints
     this.directives = directives
     this.trunk = this.createNode(node, PROTECTED)
     this.root = node
   }
 
-  public match (path: string): Match<TEndpoint, TDirectives> | null {
+  public match (path: string): Match | null {
     if (path === '/')
-      return { node: this.trunk, parameters: [] }
+      return {
+        node: this.trunk,
+        parameters: []
+      }
 
     const fragments = fragment(path)
 
@@ -39,7 +39,8 @@ export class Tree<
     this.trunk.merge(branch)
   }
 
-  private createNode (node: syntax.Node, protect: boolean, extension?: any): Node {
+  private createNode
+  (node: syntax.Node, protect: boolean, extension?: any): Node {
     const context: Context = {
       protected: protect,
       endpoints: this.endpoints,

package/source/RTD/factory.ts

@@ -1,14 +1,11 @@
 import { Node, type Properties } from './Node'
 import { Route } from './Route'
-import { type Context } from './Context'
 import { segment } from './segment'
 import { Method, type Methods } from './Method'
-import { type Endpoint } from './Endpoint'
-import { type Directives } from './Directives'
+import type { Context } from './Context'
 import type * as syntax from './syntax'
 
-export function createNode<TEndpoint extends Endpoint, TDirectives extends Directives>
-(node: syntax.Node, context: Context): Node<TEndpoint, TDirectives> {
+export function createNode (node: syntax.Node, context: Context): Node {
   if (node.isolated === true)
     context.directives.stack = node.directives
   else
@@ -36,7 +33,7 @@ function createRoute (route: syntax.Route, context: Context): Route {
 }
 
 function createMethod (method: syntax.Method, context: Context): Method {
-  const stack = context.directives.stack.concat(method.directives.reverse())
+  const stack = method.directives.concat(context.directives.stack)
   const directives = context.directives.factory.create(stack)
 
   const endpoint = method.mapping?.endpoint === undefined

package/source/Tenant.ts

@@ -25,14 +25,6 @@ export class Tenant extends Connector {
   public override async open (): Promise<void> {
     await this.expose()
     await this.broadcast.receive('ping', this.expose.bind(this))
-
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has started.`)
-  }
-
-  public override async dispose (): Promise<void> {
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has been stopped.`)
   }
 
   private async expose (): Promise<void> {

package/source/deployment.ts

@@ -1,3 +1,4 @@
+import assert from 'node:assert'
 import { type Dependency, type Service } from '@toa.io/operations'
 import { encode } from '@toa.io/generic'
 import { type Annotation } from './Annotation'
@@ -5,26 +6,29 @@ import * as schemas from './schemas'
 import { shortcuts } from './Directive'
 import { components } from './Composition'
 import { parse } from './RTD/syntax'
+import { DELAY, PORT } from './HTTP/Server'
+
+export function deployment (_: unknown, annotation?: Annotation): Dependency {
+  assert.ok(annotation !== undefined, 'Exposition context annotation is required')
+  schemas.annotation.validate(annotation)
 
-export function deployment (_: unknown, annotation: Annotation | undefined): Dependency {
   const labels = components().labels
 
   const service: Service = {
     group: 'exposition',
     name: 'gateway',
-    port: 8000,
+    port: PORT,
     // eslint-disable-next-line @typescript-eslint/no-var-requires
     version: require('../package.json').version,
     variables: [],
-    components: labels
-  }
-
-  if (annotation?.host !== undefined)
-    service.ingress = {
-      host: annotation.host,
-      class: annotation.class,
-      annotations: annotation.annotations
+    components: labels,
+    ingress: { hosts: [] },
+    probe: {
+      path: '/.ready',
+      port: PORT,
+      delay: DELAY
     }
+  }
 
   if (annotation?.['/'] !== undefined) {
     const tree = parse(annotation['/'], shortcuts)
@@ -35,20 +39,26 @@ export function deployment (_: unknown, annotation: Annotation | undefined): Dep
     })
   }
 
-  if (annotation?.debug === true)
-    service.variables.push({
-      name: 'TOA_EXPOSITION_DEBUG',
-      value: '1'
-    })
+  const { debug, trace, authorities } = annotation
 
-  if (annotation?.trace === true)
-    service.variables.push({
-      name: 'TOA_EXPOSITION_TRACE',
-      value: '1'
-    })
+  service.ingress.hosts = Object.values(authorities)
+  service.ingress.class = annotation.class
+  service.ingress.annotations = annotation.annotations
+
+  const properties: Properties = { authorities }
 
-  if (annotation !== undefined)
-    schemas.annotaion.validate(annotation)
+  if (debug === true)
+    properties.debug = true
+
+  if (trace === true)
+    properties.trace = true
+
+  service.variables.push({
+    name: 'TOA_EXPOSITION_PROPERTIES',
+    value: encode(properties)
+  })
 
   return { services: [service] }
 }
+
+type Properties = Pick<Annotation, 'authorities' | 'debug' | 'trace'>

package/source/directives/auth/Authorization.ts

@@ -7,14 +7,14 @@ import { Role } from './Role'
 import { Rule } from './Rule'
 import { Incept } from './Incept'
 import { Echo } from './Echo'
-import { split } from './split'
 import { Scheme } from './Scheme'
+import { Delegate } from './Delegate'
+import { split } from './split'
 import { PRIMARY, PROVIDERS } from './schemes'
 import type { Output } from '../../io'
 import type { Component } from '@toa.io/core'
 import type { Remotes } from '../../Remotes'
-import type { Family } from '../../Directive'
-import type { Parameter } from '../../RTD'
+import type { Parameter, DirectiveFamily } from '../../RTD'
 import type {
   AuthenticationResult,
   Ban,
@@ -27,7 +27,7 @@ import type {
   Schemes
 } from './types'
 
-export class Authorization implements Family<Directive, Extension> {
+export class Authorization implements DirectiveFamily<Directive, Extension> {
   public readonly depends: string[] = ['Vary']
   public readonly name: string = 'auth'
   public readonly mandatory: boolean = true
@@ -38,10 +38,10 @@ export class Authorization implements Family<Directive, Extension> {
   private bans: Component | null = null
 
   public create (name: string, value: any, remotes: Remotes): Directive {
-    assert.ok(name in CLASSES,
-      `Directive '${name}' is not provided by the '${this.name}' family.`)
+    assert.ok(name in constructors,
+      `Directive 'auth:${name}' is not implemented.`)
 
-    const Class = CLASSES[name]
+    const Class = constructors[name]
 
     for (const name of REMOTES)
       this.discovery[name] ??= remotes.discover('identity', name)
@@ -50,13 +50,22 @@ export class Authorization implements Family<Directive, Extension> {
       Role, () => new Role(value as string | string[], this.discovery.roles),
       Rule, () => new Rule(value as Record<string, string>, this.create.bind(this)),
       Incept, () => new Incept(value as string, this.discovery),
+      Delegate, () => new Delegate(value as string, this.discovery.roles),
       () => new Class(value))
   }
 
   public async preflight (directives: Directive[],
     input: Input,
     parameters: Parameter[]): Promise<Output> {
-    const identity = await this.resolve(input.request.headers.authorization)
+    /**
+     * Some authentication scheme providers may create identity during authentication;
+     * therefore, we need to skip the authentication process if the Incept directive is present.
+     *
+     * If the provided credentials already exist,
+     * the inception will cause a unique constraint violation on the settle stage.
+     */
+    const inception = directives.reduce((yes, directive) => yes || directive instanceof Incept, false)
+    const identity = inception ? null : await this.resolve(input.authority, input.request.headers.authorization)
 
     input.identity = identity
 
@@ -80,25 +89,31 @@ export class Authorization implements Family<Directive, Extension> {
 
     const identity = request.identity
 
-    if (identity === null) return
+    if (identity === null)
+      return
 
-    if (identity.scheme === PRIMARY && !identity.refresh) return
+    if (identity.scheme === PRIMARY && !identity.refresh)
+      return
 
     // Role directive may have already set the value
-    if (identity.roles === undefined) await Role.set(identity, this.discovery.roles)
+    if (identity.roles === undefined)
+      await Role.set(identity, this.discovery.roles)
 
     this.tokens ??= await this.discovery.tokens
 
-    const token = await this.tokens.invoke<string>('encrypt', { input: { identity } })
-    const authorization = `Token ${token}`
+    const token = await this.tokens.invoke<string>('encrypt', {
+      input: { authority: request.authority, identity }
+    })
 
-    if (response.headers === undefined) response.headers = new Headers()
+    const authorization = `Token ${token}`
 
+    response.headers ??= new Headers()
     response.headers.set('authorization', authorization)
   }
 
-  private async resolve (authorization: string | undefined): Promise<Identity | null> {
-    if (authorization === undefined) return null
+  private async resolve (authority: string, authorization: string | undefined): Promise<Identity | null> {
+    if (authorization === undefined)
+      return null
 
     const [scheme, credentials] = split(authorization)
     const provider = PROVIDERS[scheme]
@@ -109,7 +124,10 @@ export class Authorization implements Family<Directive, Extension> {
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const result = await this.schemes[scheme].invoke<AuthenticationResult>('authenticate', {
-      input: credentials
+      input: {
+        authority,
+        credentials
+      }
     })
 
     if (result instanceof Error) return null
@@ -133,14 +151,15 @@ export class Authorization implements Family<Directive, Extension> {
   }
 }
 
-const CLASSES: Record<string, new (value: any, argument?: any) => Directive> = {
+const constructors: Record<string, new (value: any, argument?: any) => Directive> = {
   anonymous: Anonymous,
   id: Id,
   role: Role,
   rule: Rule,
   incept: Incept,
   scheme: Scheme,
-  echo: Echo
+  echo: Echo,
+  delegate: Delegate
 }
 
 const REMOTES: Remote[] = ['basic', 'federation', 'tokens', 'roles', 'bans']

package/source/directives/auth/Delegate.ts

@@ -0,0 +1,42 @@
+import { BadRequest } from '../../HTTP'
+import { type Directive, type Identity } from './types'
+import { Role } from './Role'
+import type { Component } from '@toa.io/core'
+import type { Input } from '../../io'
+
+export class Delegate implements Directive {
+  private readonly property: string
+  private readonly discovery: Promise<Component>
+
+  public constructor (property: string, discovery: Promise<Component>) {
+    this.property = property
+    this.discovery = discovery
+  }
+
+  public async authorize (identity: Identity | null, context: Input): Promise<boolean> {
+    if (identity === null)
+      return false
+
+    if (identity.roles === undefined)
+      await Role.set(identity, this.discovery)
+
+    context.pipelines.body.push((body) => this.embed(body, identity))
+
+    return true
+  }
+
+  private embed (body: unknown, identity: Identity): Record<string, unknown> {
+    if (body === undefined)
+      body = {}
+
+    check(body)
+    body[this.property] = structuredClone(identity)
+
+    return body
+  }
+}
+
+function check (body: unknown): asserts body is Record<string, unknown> {
+  if (typeof body !== 'object' || body === null)
+    throw new BadRequest('Invalid request body')
+}

package/source/directives/auth/Incept.ts

@@ -31,15 +31,16 @@ export class Incept implements Directive {
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const identity = await this.schemes[scheme]
-      .invoke<Maybe<Identity>>('create', {
+      .invoke<Maybe<Identity>>('incept', {
       input: {
+        authority: input.authority,
         id,
         credentials
       }
     })
 
     if (identity instanceof Error)
-      throw new http.Conflict(identity)
+      throw new http.UnprocessableEntity(identity)
 
     input.identity = identity
     input.identity.scheme = scheme

package/source/directives/auth/Role.test.ts

@@ -2,6 +2,7 @@ import { type Component } from '@toa.io/core'
 import { generate } from 'randomstring'
 import { Role } from './Role'
 import { type Identity } from './types'
+import type { Parameter } from '../../RTD'
 
 const remote = {
   invoke: jest.fn()
@@ -16,16 +17,26 @@ beforeEach(() => {
 it('should return false if not matched', async () => {
   const roles = ['admin', 'user']
   const directive = new Role(roles, discovery)
-  const identity: Identity = { id: generate(), scheme: '', refresh: false }
+
+  const identity: Identity = {
+    id: generate(),
+    scheme: '',
+    refresh: false
+  }
 
   remote.invoke.mockResolvedValueOnce(['guest'])
 
-  const result = await directive.authorize(identity)
+  const result = await directive.authorize(identity, undefined, [])
 
   expect(result).toBe(false)
 
   expect(remote.invoke)
-    .toBeCalledWith('list', { query: { criteria: `identity==${identity.id}`, limit: 1024 } })
+    .toBeCalledWith('list', {
+      query: {
+        criteria: `identity==${identity.id}`,
+        limit: 1024
+      }
+    })
 })
 
 it('should return true on exact match', async () => {
@@ -52,11 +63,47 @@ it('should return false on non-scope substring match', async () => {
   expect(result).toBe(false)
 })
 
-async function match (expected: string[], actual: string[]): Promise<boolean> {
+it('should return true on match with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '29e54ae1'
+    }])
+
+  expect(result).toBe(true)
+})
+
+it('should return true on match with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '29e54ae1'
+    }])
+
+  expect(result).toBe(true)
+})
+
+it('should return false on mismatch with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '88584c9b'
+    }])
+
+  expect(result).toBe(false)
+})
+
+async function match
+(expected: string[], actual: string[], parameters: Parameter[] = []): Promise<boolean> {
   const directive = new Role(expected, discovery)
-  const identity: Identity = { id: generate(), scheme: '', refresh: false }
+
+  const identity: Identity = {
+    id: generate(),
+    scheme: '',
+    refresh: false
+  }
 
   remote.invoke.mockResolvedValueOnce(actual)
 
-  return await directive.authorize(identity)
+  return await directive.authorize(identity, undefined, parameters)
 }

package/source/directives/auth/Role.ts

@@ -1,14 +1,18 @@
+import assert from 'node:assert'
 import { type Component, type Query } from '@toa.io/core'
 import { type Directive, type Identity } from './types'
+import type { Parameter } from '../../RTD'
 
 export class Role implements Directive {
   public static remote: Component | null = null
   private readonly roles: string[]
   private readonly discovery: Promise<Component>
+  private readonly dynamic: boolean
 
   public constructor (roles: string | string[], discovery: Promise<Component>) {
     this.roles = typeof roles === 'string' ? [roles] : roles
     this.discovery = discovery
+    this.dynamic = this.roles.some((role) => role.includes('{'))
   }
 
   public static async set (identity: Identity, discovery: Promise<Component>): Promise<void> {
@@ -22,37 +26,41 @@ export class Role implements Directive {
     identity.roles = await this.remote.invoke('list', { query })
   }
 
-  public async authorize (identity: Identity | null): Promise<boolean> {
+  public async authorize
+  (identity: Identity | null, _: unknown, parameters: Parameter[]): Promise<boolean> {
     if (identity === null)
       return false
 
     await Role.set(identity, this.discovery)
 
-    if (identity.roles === undefined)
+    if (identity.roles!.length === 0) // Role.set()
+
       return false
 
-    return this.match(identity.roles)
+    return this.match(identity.roles!, parameters)
   }
 
-  private match (roles: string[]): boolean {
+  private match (roles: string[], parameters: Parameter[]): boolean {
+    const required = this.dynamic ? this.substitute(parameters) : this.roles
+
     for (const role of roles) {
-      const index = this.roles.findIndex((expected) => compare(expected, role))
+      const ok = required.some((expected) => expected === role || expected.startsWith(role + ':'))
 
-      if (index !== -1)
+      if (ok)
         return true
     }
 
     return false
   }
-}
 
-function compare (expected: string, actual: string): boolean {
-  const exp = expected.split(':')
-  const act = actual.split(':')
+  private substitute (parameters: Parameter[]): string[] {
+    return this.roles.map((role) => role.replaceAll(/{(\w+)}/g, (_, key) => {
+      const value = parameters.find((parameter) => parameter.name === key)?.value
 
-  for (let i = 0; i < act.length; i++)
-    if (exp[i] !== act[i])
-      return false
+      assert.ok(value !== undefined,
+        `Role '${role}' requires '${key}' route parameter.`)
 
-  return true
+      return value
+    }))
+  }
 }

package/source/directives/auth/types.ts

@@ -8,7 +8,7 @@ export interface Directive {
   authorize: (
     identity: Identity | null,
     input: Input,
-    parameters: Parameter[],
+    parameters: Parameter[]
   ) => boolean | Promise<boolean>
 
   reply?: (identity: Identity | null) => http.OutgoingMessage

package/source/directives/cache/Cache.ts

@@ -1,19 +1,19 @@
 import { Control } from './Control'
 import { Exact } from './Exact'
-import type { Input, Output } from '../../io'
-import type { Directive } from './types'
-import type { Family } from '../../Directive'
+import type { Output } from '../../io'
+import type { AuthenticatedContext, Directive } from './types'
+import type { DirectiveFamily } from '../../RTD'
 import type * as http from '../../HTTP'
 
-export class Cache implements Family<Directive> {
+export class Cache implements DirectiveFamily<Directive> {
   public readonly name: string = 'cache'
-  public readonly mandatory: boolean = false
+  public readonly mandatory: boolean = true
 
   public create (name: string, value: any): Directive {
     const Class = constructors[name]
 
     if (Class === undefined)
-      throw new Error(`Directive '${name}' is not provided by the '${this.name}' family.`)
+      throw new Error(`Directive 'cache:${name}' is not implemented.`)
 
     return new Class(value)
   }
@@ -23,9 +23,16 @@ export class Cache implements Family<Directive> {
   }
 
   public async settle
-  (directives: Directive[], input: Input, response: http.OutgoingMessage): Promise<void> {
+  (directives: Directive[], context: AuthenticatedContext, response: http.OutgoingMessage): Promise<void> {
+    const directive = directives[0]
+
     response.headers ??= new Headers()
-    directives[0]?.set(input, response.headers)
+
+    if (directive === undefined) {
+      if (context.identity !== null && !Control.disabled(response.headers))
+        response.headers.set('cache-control', 'private')
+    } else
+      directive.set(context, response.headers)
   }
 }