@toa.io/extensions.exposition 1.0.0-alpha.9 → 1.0.0-alpha.91

package/components/identity.federation/operations/{types.d.ts → types/context.d.ts}

@@ -1,11 +1,11 @@
 import { type Call, type Observation, type Query } from '@toa.io/types';
-import type { Schemas } from './schemas';
+import type { Entity } from './entity';
+import type { Configuration } from './configuration';
 export interface Context {
     local: {
-        observe: Observation<Entity & {
-            id: string;
-        }>;
+        observe: Observation<Entity>;
         transit: Call<TransitOutput, TransitInput>;
+        ensure: Call<EnsureOutput>;
     };
     remote: {
         identity: {
@@ -14,16 +14,19 @@ export interface Context {
             };
         };
     };
-    configuration: Required<Schemas>['configuration'];
+    configuration: Configuration;
 }
-export type Entity = Required<Schemas>['entity'];
 export interface TransitInput {
+    readonly authority: string;
     readonly iss: string;
     readonly sub: string;
 }
 export interface TransitOutput {
     id: string;
 }
+export interface EnsureOutput {
+    id: string;
+}
 interface IdentityTokensRevokeInput {
     query: Query;
 }
@@ -38,14 +41,19 @@ export interface JwtHeader {
 export interface IdToken {
     iss: string;
     sub: string;
-    aud: string;
+    aud: string | string[];
     exp: number;
     iat: number;
     nbf?: number;
 }
+export interface AuthenticateInput {
+    authority: string;
+    credentials: string;
+}
 export interface AuthenticateOutput {
     identity: {
         id: string;
+        claim: Pick<IdToken, 'iss' | 'sub' | 'aud'>;
     };
 }
 export {};

package/components/identity.federation/operations/types/context.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=context.js.map

package/components/identity.federation/operations/types/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../source/types/context.ts"],"names":[],"mappings":""}

package/components/identity.federation/operations/types/entity.d.ts

@@ -0,0 +1,6 @@
+export interface Entity {
+    id: string;
+    authority: string;
+    iss: string;
+    sub: string;
+}

package/components/identity.federation/operations/types/entity.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=entity.js.map

package/components/identity.federation/operations/types/entity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entity.js","sourceRoot":"","sources":["../../source/types/entity.ts"],"names":[],"mappings":""}

package/components/identity.federation/operations/types/index.d.ts

@@ -0,0 +1,3 @@
+export * from './configuration';
+export * from './context';
+export * from './entity';

package/components/identity.federation/operations/types/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./configuration"), exports);
+__exportStar(require("./context"), exports);
+__exportStar(require("./entity"), exports);
+//# sourceMappingURL=index.js.map

package/components/identity.federation/operations/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../source/types/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAA+B;AAC/B,4CAAyB;AACzB,2CAAwB"}

package/components/identity.federation/source/authenticate.ts

@@ -1,27 +1,14 @@
 import { type Maybe } from '@toa.io/types'
-import { Err } from 'error-value'
 import { assertionsAsValues } from './lib/assertions-as-values.js'
-import {
-  validateIdToken
-} from './lib/jwt'
-import type { Request } from '@toa.io/core'
-import type { AuthenticateOutput, Context } from './types'
+import { validateIdToken } from './lib/jwt'
+import type { AuthenticateInput, AuthenticateOutput, Context } from './types'
 
-async function authenticate (input: string,
+async function authenticate ({ authority, credentials }: AuthenticateInput,
   context: Context): Promise<Maybe<AuthenticateOutput>> {
-  const { iss, sub } = await validateIdToken(input, context.configuration.trust)
+  const { iss, sub, aud } = await validateIdToken(credentials, context.configuration.trust)
+  const { id } = await context.local.ensure({ entity: { authority, iss, sub } })
 
-  const request: Request = { query: { criteria: `iss==${iss};sub==${sub}` } }
-
-  let id = (await context.local.observe(request))?.id
-
-  if (id === undefined) {
-    if (context.configuration.explicit_identity_creation === true) return Err('NOT_FOUND')
-
-    id = (await context.local.transit({ input: { iss, sub } })).id
-  }
-
-  return { identity: { id } }
+  return { identity: { id, claim: { iss, sub, aud } } }
 }
 
 // Exporting as a function returning assertion errors as values

package/components/identity.federation/source/{create.ts → incept.ts}

@@ -3,24 +3,25 @@ import { validateIdToken } from './lib/jwt'
 import type { Request } from '@toa.io/core'
 import type { Context, Entity } from './types'
 
-async function create (input: CreateInput, context: Context): Promise<CreateOutput> {
+async function incept (input: Input, context: Context): Promise<Output> {
   const { iss, sub } = await validateIdToken(input.credentials, context.configuration.trust)
 
-  const request: Request = {
-    input: { iss, sub } satisfies Omit<Entity, 'id'>,
-    query: { id: input.id }
-  }
+  const request: Request = { input: { authority: input.authority, iss, sub } satisfies Omit<Entity, 'id'> }
+
+  if (input.id !== undefined)
+    request.query = { id: input.id }
 
   return await context.local.transit(request)
 }
 
-interface CreateInput {
-  id: string
+interface Input {
+  authority: string
   credentials: string
+  id?: string
 }
 
-interface CreateOutput {
+interface Output {
   id: string
 }
 
-export const effect = assertionsAsValues(create)
+export const effect = assertionsAsValues(incept)

package/components/identity.federation/source/lib/assertions-as-values.ts

@@ -1,4 +1,5 @@
 import * as assert from 'node:assert'
+import { console } from 'openspan'
 
 /**
  * Wrapping function that returns assertion errors as function return value
@@ -9,9 +10,11 @@ export function assertionsAsValues<T extends (...args: any[]) => Promise<any>> (
     try {
       return await fn(...args)
     } catch (err) {
-      console.error(err)
+      if (err instanceof assert.AssertionError) {
+        console.error('OIDC Authentication exception', { message: err.message })
 
-      if (err instanceof assert.AssertionError) return err
+        return err
+      }
 
       throw err
     }

package/components/identity.federation/source/lib/jwt.test.ts

@@ -1,8 +1,58 @@
-/* eslint-disable max-len */
+import * as http from 'node:http'
+
 /* eslint-disable @typescript-eslint/consistent-type-assertions */
-import { validateSignature, decodeJwt } from './jwt'
+import { once } from 'node:events'
+import { validateSignature, decodeJwt, validateJwtPayload, cachedFetch } from './jwt'
+import type { AddressInfo } from 'node:net'
+import type { IdToken, JwtHeader, Trust } from '../types'
 
 describe('jwt', () => {
+  describe('validateJwtPayload', () => {
+    const jwtHeader: JwtHeader = { alg: 'HS256', kid: 'k1' }
+
+    const trusted: Trust[] = [{
+      iss: 'test-iss',
+      aud: ['test-aud1', 'test-aud2'],
+      secrets: { [jwtHeader.alg]: { [jwtHeader.kid!]: 'test-secrete' } }
+    }]
+
+    const validJwtPayload: IdToken = {
+      iss: trusted[0].iss,
+      sub: 'test-sub',
+      iat: Date.now() / 1000,
+      exp: Date.now() / 1000 + 2000,
+      aud: trusted[0].aud![1]
+    }
+
+    describe('aud', () => {
+      test('throws without it', () => {
+        const { aud, ...noAudPayload } = validJwtPayload
+
+        expect(() => validateJwtPayload(noAudPayload, trusted, jwtHeader)).toThrow('Payload is missing aud')
+      })
+
+      test('passes with a single string', () => {
+        expect(validJwtPayload.aud).toEqual(expect.any(String))
+        expect(() => validateJwtPayload(validJwtPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('passes with an array', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: trusted[0].aud }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('throws with an array that does not intersects', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: ['boo', 'foo'] }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader))
+          .toThrow('Unknown audiences: boo, foo')
+      })
+    })
+  })
+
   test('decode', () => {
     const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
 
@@ -22,7 +72,7 @@ describe('jwt', () => {
       signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               k1: 'old-secret',
@@ -43,7 +93,7 @@ describe('jwt', () => {
       signature: 'signature',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               theKey: 'secret'
@@ -53,4 +103,73 @@ describe('jwt', () => {
       ]
     } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
   })
+
+  describe.skip('cachedFetch', () => {
+    let server: http.Server
+    // eslint-disable-next-line @typescript-eslint/no-invalid-void-type
+    const handler = jest.fn<void, [http.IncomingMessage, http.ServerResponse]>()
+    let endpoint: string
+
+    beforeAll(async () => {
+      server = http.createServer(handler)
+
+      server.listen(0, 'localhost')
+      await once(server, 'listening')
+
+      const { address, port } = server.address() as AddressInfo
+
+      endpoint = `http://${address}:${port}`
+    })
+
+    afterEach(() => {
+      handler.mockReset()
+    })
+
+    afterAll(async () => {
+      server.close()
+      await once(server, 'close')
+    })
+
+    test('fetches only once', async () => {
+      handler.mockImplementationOnce((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'public, max-age=3600' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      }).mockImplementationOnce((req, res) => {
+        res.writeHead(500)
+        res.end()
+      })
+
+      const firstRequest = await cachedFetch(endpoint)
+
+      expect(firstRequest.ok).toBe(true)
+      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      const secondRequest = await cachedFetch(endpoint)
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(1)
+    })
+
+    test('respects caching headers', async () => {
+      handler.mockImplementation((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'no-cache' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      })
+
+      const firstRequest = await cachedFetch(endpoint + '/no-cache')
+
+      expect(firstRequest.headers.get('cache-control')).toBe('no-cache')
+      expect(firstRequest.ok).toBe(true)
+      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      const secondRequest = await cachedFetch(endpoint + '/no-cache')
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(2)
+    })
+  })
 })

package/components/identity.federation/source/lib/jwt.ts

@@ -1,7 +1,7 @@
 import crypto from 'node:crypto'
 import * as assert from 'node:assert'
-import { type JwtHeader, type IdToken } from '../types'
-import { type TrustConfiguration } from '../schemas'
+
+import type { JwtHeader, IdToken, Trust } from '../types'
 
 export function decodeJwt (token: string): {
   header: unknown
@@ -27,7 +27,7 @@ export function validateJwtHeader (header: unknown): asserts header is JwtHeader
 }
 
 export function validateJwtPayload (payload: unknown,
-  trusted: TrustConfiguration[] = [],
+  trusted: Trust[] = [],
   header: JwtHeader): asserts payload is IdToken {
   assert.ok(trusted.length > 0, 'No trusted issuers provided')
 
@@ -38,13 +38,22 @@ export function validateJwtPayload (payload: unknown,
   assert.ok('iss' in payload, 'Payload is missing iss')
   assert.ok(typeof payload.iss === 'string', 'Payload iss is not a string')
   assert.ok('aud' in payload, 'Payload is missing aud')
-  assert.ok(typeof payload.aud === 'string', 'Payload aud is not a string')
+  assert.ok(typeof payload.aud === 'string' ||
+    (Array.isArray(payload.aud) && payload.aud.every((e): e is string => typeof e === 'string')),
+  'Payload aud is not a string nor an array of strings')
+
+  const issuer = trusted.find((config) => config.iss === payload.iss)
+
+  assert.ok(issuer, `Unknown issuer: ${payload.iss}`)
 
-  const issuer = trusted.find((config) => config.issuer === payload.iss)
+  if (Array.isArray(issuer.aud)) {
+    const tokenAud = payload.aud
 
-  assert.ok(issuer !== undefined &&
-      (issuer.audience === undefined || issuer.audience.some((a) => a === payload.aud),
-      `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`))
+    if (typeof tokenAud === 'string')
+      assert.ok(issuer.aud.some((a) => a === tokenAud), `Unknown audience: ${tokenAud}`)
+    else
+      assert.ok(issuer.aud.some((a) => tokenAud.includes(a)), `Unknown audiences: ${tokenAud.join(', ')}`)
+  }
 
   if (header.alg.startsWith('HS')) {
     const secrets = issuer.secrets
@@ -90,12 +99,12 @@ export async function validateSignature ({
   readonly payload: IdToken
   rawPayload: string
   signature: string
-  trusted?: TrustConfiguration[]
+  trusted?: Trust[]
 }): Promise<void> {
   if (alg.startsWith('HS')) {
     // symmetric algorithm, issuer is validated at this point
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- `kid` is validated
-    const secrets = trusted.find((c) => c.issuer === iss)!.secrets![alg]
+
+    const secrets = trusted.find((c) => c.iss === iss)!.secrets![alg]
     const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
     const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
     const hmac = crypto.createHmac(algorithm, secret)
@@ -109,16 +118,14 @@ export async function validateSignature ({
   }
 
   // Getting issuer public keys
-  const oidcRequest = await fetch(`${iss}/.well-known/openid-configuration`, {
-    cache: 'default'
-  })
+  const oidcRequest = await cachedFetch(`${iss}/.well-known/openid-configuration`)
 
   assert.ok(oidcRequest.ok,
     `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
 
   const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
 
-  const jwkRequest = await fetch(jwksUri, { cache: 'default' })
+  const jwkRequest = await cachedFetch(jwksUri)
 
   assert.ok(jwkRequest.ok, `Failed to fetch issuer keys: ${jwkRequest.statusText}`)
 
@@ -153,7 +160,7 @@ export async function validateSignature ({
 }
 
 export async function validateIdToken (token: string,
-  trusted?: TrustConfiguration[]): Promise<IdToken> {
+  trusted?: Trust[]): Promise<IdToken> {
   const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
 
   validateJwtHeader(header)
@@ -169,3 +176,16 @@ export async function validateIdToken (token: string,
 
   return payload
 }
+
+// workaround for ultrafetch being ESM only
+let _cachedFetch: typeof fetch | undefined
+
+export async function cachedFetch (url: string, init?: RequestInit): Promise<Response> {
+  if (typeof _cachedFetch !== 'function') {
+    const { withCache } = await import('ultrafetch')
+
+    _cachedFetch = withCache(fetch)
+  }
+
+  return _cachedFetch(url, init)
+}

package/components/identity.federation/source/types/configuration.ts

@@ -0,0 +1,15 @@
+export interface Configuration {
+  trust?: Trust[]
+  principal?: Principal
+}
+
+export interface Trust {
+  iss: string
+  aud?: [string, ...string[]]
+  secrets?: Record<string, Record<string, string>>
+}
+
+interface Principal {
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/{types.ts → types/context.ts}

@@ -1,10 +1,12 @@
 import { type Call, type Observation, type Query } from '@toa.io/types'
-import type { Schemas } from './schemas'
+import type { Entity } from './entity'
+import type { Configuration } from './configuration'
 
 export interface Context {
   local: {
-    observe: Observation<Entity & { id: string }>
+    observe: Observation<Entity>
     transit: Call<TransitOutput, TransitInput>
+    ensure: Call<EnsureOutput>
   }
   remote: {
     identity: {
@@ -13,12 +15,11 @@ export interface Context {
       }
     }
   }
-  configuration: Required<Schemas>['configuration']
+  configuration: Configuration
 }
 
-export type Entity = Required<Schemas>['entity']
-
 export interface TransitInput {
+  readonly authority: string
   readonly iss: string
   readonly sub: string
 }
@@ -27,6 +28,10 @@ export interface TransitOutput {
   id: string
 }
 
+export interface EnsureOutput {
+  id: string
+}
+
 interface IdentityTokensRevokeInput {
   query: Query
 }
@@ -43,14 +48,20 @@ export interface JwtHeader {
 export interface IdToken {
   iss: string
   sub: string
-  aud: string
+  aud: string | string[]
   exp: number
   iat: number
   nbf?: number
 }
 
+export interface AuthenticateInput {
+  authority: string
+  credentials: string
+}
+
 export interface AuthenticateOutput {
   identity: {
     id: string
+    claim: Pick<IdToken, 'iss' | 'sub' | 'aud'>
   }
 }

package/components/identity.federation/source/types/entity.ts

@@ -0,0 +1,6 @@
+export interface Entity {
+  id: string
+  authority: string
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/types/index.ts

@@ -0,0 +1,3 @@
+export * from './configuration'
+export * from './context'
+export * from './entity'

package/components/identity.federation/tsconfig.json

@@ -2,8 +2,9 @@
   "extends": "../../tsconfig.json",
   "compilerOptions": {
     "outDir": "./operations",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "target": "ES2022"
   },
-  "include": [
-    "source"
-  ]
-}
+  "include": ["source"]
+}

package/components/identity.roles/manifest.toa.yaml

@@ -4,14 +4,20 @@ name: roles
 entity:
   schema:
     identity*: string
-    role*: string
+    role*: /^[a-zA-Z0-9]{0,32}(:[a-zA-Z0-9]{0,32}){0,8}$/
+    grantor: string
+  unique:
+    role: [identity, role]
 
 operations:
-  transit:
+  grant:
     query: false
     input:
-      identity*: string
-      role*: string
+      identity*: .
+      role*: .
+      grantor:
+        id: string
+        roles: [string]
   list:
     output: [string]
   principal:
@@ -20,14 +26,18 @@ operations:
 
 receivers:
   identity.basic.principal: principal
+  identity.federation.principal: principal
 
 exposition:
   isolated: true
   /:identity:
     auth:role: system:identity:roles
     POST:
-      io:output: [id]
-      endpoint: transit
+      io:output: [id, grantor]
+      auth:rule:
+        delegate: grantor
+        role: system:identity:roles:delegation
+      endpoint: grant
     GET:
       io:output: true # array of strings
       auth:id: identity

package/components/identity.roles/operations/grant.d.ts

@@ -0,0 +1,10 @@
+import type { Entity } from './lib/Entity';
+export declare function transition(input: Input, object: Entity): Promise<Entity | Error>;
+export interface Input {
+    identity: string;
+    role: string;
+    grantor?: {
+        id: string;
+        roles: string[];
+    };
+}

package/components/identity.roles/operations/grant.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.transition = void 0;
+const error_value_1 = require("error-value");
+async function transition(input, object) {
+    if (input.grantor === undefined)
+        return Object.assign(object, input);
+    if (!within('system:identity:roles', input.grantor.roles) &&
+        !within(input.role, input.grantor.roles))
+        return ERR_OUT_OF_SCOPE;
+    object.role = input.role;
+    object.identity = input.identity;
+    object.grantor = input.grantor.id;
+    return object;
+}
+exports.transition = transition;
+function within(role, scopes) {
+    return scopes.some((scope) => role === scope || role.startsWith(scope + ':'));
+}
+const ERR_OUT_OF_SCOPE = (0, error_value_1.Err)('OUT_OF_SCOPE');
+//# sourceMappingURL=grant.js.map

package/components/identity.roles/operations/grant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../source/grant.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAG1B,KAAK,UAAU,UAAU,CAAE,KAAY,EAAE,MAAc;IAC5D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;QAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAErC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACvD,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxC,OAAO,gBAAgB,CAAA;IAEzB,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;IACxB,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;IAChC,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAA;IAEjC,OAAO,MAAM,CAAA;AACf,CAAC;AAbD,gCAaC;AAED,SAAS,MAAM,CAAE,IAAY,EAAE,MAAgB;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAA;AAC/E,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAA,iBAAG,EAAC,cAAc,CAAC,CAAA"}

package/components/identity.roles/operations/lib/Entity.d.ts

@@ -0,0 +1,5 @@
+export interface Entity {
+    identity: string;
+    role: string;
+    grantor?: string;
+}

package/components/identity.roles/operations/lib/Entity.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Entity.js.map

package/components/identity.roles/operations/lib/Entity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Entity.js","sourceRoot":"","sources":["../../source/lib/Entity.ts"],"names":[],"mappings":""}