auth0-deploy-cli 8.21.0 → 8.23.0

package/lib/tools/auth0/handlers/clients.js

@@ -1,22 +1,15 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.schema = void 0;
+const lodash_1 = require("lodash");
 const client_1 = require("../client");
 const default_1 = __importDefault(require("./default"));
 const connectionProfiles_1 = require("./connectionProfiles");
 const userAttributeProfiles_1 = require("./userAttributeProfiles");
+const logger_1 = __importDefault(require("../../../logger"));
 const multiResourceRefreshTokenPoliciesSchema = {
     type: ['array', 'null'],
     description: 'A collection of policies governing multi-resource refresh token exchange (MRRT), defining how refresh tokens can be used across different resource servers',
@@ -256,13 +249,33 @@ exports.schema = {
                     'admin_login_domain',
                 ],
             },
+            token_exchange: {
+                type: ['object', 'null'],
+                description: 'Token exchange configuration for the client',
+                properties: {
+                    allow_any_profile_of_type: {
+                        type: 'array',
+                        description: 'List of enabled token exchange profile types for this client',
+                        items: {
+                            type: 'string',
+                            enum: ['custom_authentication'],
+                        },
+                    },
+                },
+            },
         },
         required: ['name'],
     },
 };
 class ClientHandler extends default_1.default {
     constructor(config) {
-        super(Object.assign(Object.assign({}, config), { type: 'clients', id: 'client_id', identifiers: ['client_id', 'name'], objectFields: ['client_metadata'], stripUpdateFields: [
+        super({
+            ...config,
+            type: 'clients',
+            id: 'client_id',
+            identifiers: ['client_id', 'name'],
+            objectFields: ['client_metadata'],
+            stripUpdateFields: [
                 // Fields not allowed during updates
                 'callback_url_template',
                 'signing_keys',
@@ -270,35 +283,44 @@ class ClientHandler extends default_1.default {
                 'tenant',
                 'jwt_configuration.secret_encoded',
                 'resource_server_identifier',
-            ] }));
+            ],
+            functions: {
+                update: async (
+                // eslint-disable-next-line camelcase
+                { client_id }, bodyParams) => this.client.clients.update(client_id, bodyParams),
+            },
+        });
     }
     objString(item) {
         return super.objString({ name: item.name, client_id: item.client_id });
     }
-    processChanges(assets) {
-        const _super = Object.create(null, {
-            processChanges: { get: () => super.processChanges }
-        });
-        return __awaiter(this, void 0, void 0, function* () {
-            const { clients } = assets;
-            // Do nothing if not set
-            if (!clients)
-                return;
-            assets.clients = yield this.sanitizeMapExpressConfiguration(this.client, clients);
-            const excludedClients = (assets.exclude && assets.exclude.clients) || [];
-            const { del, update, create, conflicts } = yield this.calcChanges(assets);
-            // Always filter out the client we are using to access Auth0 Management API
-            // As it could cause problems if it gets deleted or updated etc
-            const currentClient = this.config('AUTH0_CLIENT_ID') || '';
-            const filterClients = (list) => {
-                if (excludedClients.length) {
-                    return list.filter((item) => item.client_id !== currentClient && !excludedClients.includes(item.name));
-                }
-                return list.filter((item) => item.client_id !== currentClient);
-            };
-            // Sanitize client fields
-            const sanitizeClientFields = (list) => list.map((item) => {
-                // For resourceServers app type `resource_server`, don't include `oidc_backchannel_logout`, `oidc_logout`, `refresh_token`
+    async processChanges(assets) {
+        const { clients } = assets;
+        // Do nothing if not set
+        if (!clients)
+            return;
+        assets.clients = await this.sanitizeMapExpressConfiguration(this.client, clients);
+        const excludedClients = (assets.exclude && assets.exclude.clients) || [];
+        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
+            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
+        const { del, update, create, conflicts } = await this.calcChanges(assets);
+        // Always filter out the client we are using to access Auth0 Management API
+        // As it could cause problems if it gets deleted or updated etc
+        const currentClient = this.config('AUTH0_CLIENT_ID') || '';
+        /*
+         * Filter out:
+         * - The client used to access Auth0 Management API
+         * - Clients in the exclusion list
+         * - Third-party clients when AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS is enabled
+         */
+        const filterClients = (list) => list.filter((item) => item.client_id !== currentClient &&
+            item.name &&
+            !excludedClients.includes(item.name) &&
+            (!excludeThirdPartyClients || item.is_first_party));
+        // Sanitize client fields
+        const sanitizeClientFields = (list) => {
+            const sanitizedClients = this.sanitizeCrossOriginAuth(list);
+            return sanitizedClients.map((item) => {
                 if (item.app_type === 'resource_server') {
                     if ('oidc_backchannel_logout' in item) {
                         delete item.oidc_backchannel_logout;
@@ -312,67 +334,93 @@ class ClientHandler extends default_1.default {
                 }
                 return item;
             });
-            const changes = {
-                del: sanitizeClientFields(filterClients(del)),
-                update: sanitizeClientFields(filterClients(update)),
-                create: sanitizeClientFields(filterClients(create)),
-                conflicts: sanitizeClientFields(filterClients(conflicts)),
-            };
-            yield _super.processChanges.call(this, assets, Object.assign({}, changes));
+        };
+        const changes = {
+            del: sanitizeClientFields(filterClients(del)),
+            update: sanitizeClientFields(filterClients(update)),
+            create: sanitizeClientFields(filterClients(create)),
+            conflicts: sanitizeClientFields(filterClients(conflicts)),
+        };
+        await super.processChanges(assets, {
+            ...changes,
         });
     }
-    getType() {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (this.existing)
-                return this.existing;
-            const clients = yield (0, client_1.paginate)(this.client.clients.getAll, {
-                paginate: true,
-                include_totals: true,
-                is_global: false,
-            });
-            this.existing = clients;
+    /**
+     * @description
+     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
+     *
+     * @param {Client[]} clients - The client array to sanitize.
+     * @returns {Client[]} The sanitized array of clients.
+     */
+    sanitizeCrossOriginAuth(clients) {
+        const deprecatedClients = [];
+        const updatedClients = clients.map((client) => {
+            let updated = { ...client };
+            if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
+                const clientName = client.name || client.client_id || 'unknown client';
+                deprecatedClients.push(clientName);
+                if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
+                    updated.cross_origin_authentication = updated.cross_origin_auth;
+                }
+                updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
+            }
+            return updated;
+        });
+        if (deprecatedClients.length > 0) {
+            logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+        }
+        return updatedClients;
+    }
+    async getType() {
+        if (this.existing)
             return this.existing;
+        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
+            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
+        const clients = await (0, client_1.paginate)(this.client.clients.list, {
+            paginate: true,
+            is_global: false,
+            ...(excludeThirdPartyClients && { is_first_party: true }),
         });
+        const sanitizedClients = this.sanitizeCrossOriginAuth(clients);
+        this.existing = sanitizedClients;
+        return this.existing;
     }
     // convert names back to IDs for express configuration
-    sanitizeMapExpressConfiguration(auth0Client, clientList) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // if no clients have express configuration, return early
-            if (!clientList.some((p) => p.express_configuration)) {
-                return clientList;
-            }
-            const clientData = yield this.getType();
-            const connectionProfiles = yield (0, connectionProfiles_1.getConnectionProfile)(auth0Client);
-            const userAttributeProfiles = yield (0, userAttributeProfiles_1.getUserAttributeProfiles)(auth0Client);
-            return clientList.map((client) => {
-                var _a;
-                if (!client.express_configuration)
-                    return client;
-                const userAttributeProfileName = (_a = client.express_configuration) === null || _a === void 0 ? void 0 : _a.user_attribute_profile_id;
-                if (userAttributeProfileName) {
-                    const userAttributeProfile = userAttributeProfiles === null || userAttributeProfiles === void 0 ? void 0 : userAttributeProfiles.find((uap) => uap.name === userAttributeProfileName);
-                    if (userAttributeProfile === null || userAttributeProfile === void 0 ? void 0 : userAttributeProfile.id) {
-                        client.express_configuration.user_attribute_profile_id = userAttributeProfile.id;
-                    }
+    async sanitizeMapExpressConfiguration(auth0Client, clientList) {
+        // if no clients have express configuration, return early
+        if (!clientList.some((p) => p.express_configuration)) {
+            return clientList;
+        }
+        const clientData = await this.getType();
+        const connectionProfiles = await (0, connectionProfiles_1.getConnectionProfile)(auth0Client);
+        const userAttributeProfiles = await (0, userAttributeProfiles_1.getUserAttributeProfiles)(auth0Client);
+        return clientList.map((client) => {
+            if (!client.express_configuration)
+                return client;
+            const userAttributeProfileName = client.express_configuration?.user_attribute_profile_id;
+            if (userAttributeProfileName) {
+                const userAttributeProfile = userAttributeProfiles?.find((uap) => uap.name === userAttributeProfileName);
+                if (userAttributeProfile?.id) {
+                    client.express_configuration.user_attribute_profile_id = userAttributeProfile.id;
                 }
-                const connectionProfileName = client.express_configuration.connection_profile_id;
-                if (connectionProfileName) {
-                    const connectionProfile = connectionProfiles === null || connectionProfiles === void 0 ? void 0 : connectionProfiles.find((cp) => cp.name === connectionProfileName);
-                    if (connectionProfile === null || connectionProfile === void 0 ? void 0 : connectionProfile.id) {
-                        client.express_configuration.connection_profile_id = connectionProfile.id;
-                    }
+            }
+            const connectionProfileName = client.express_configuration.connection_profile_id;
+            if (connectionProfileName) {
+                const connectionProfile = connectionProfiles?.find((cp) => cp.name === connectionProfileName);
+                if (connectionProfile?.id) {
+                    client.express_configuration.connection_profile_id = connectionProfile.id;
                 }
-                const oktaOinClientName = client.express_configuration.okta_oin_client_id;
-                if (oktaOinClientName) {
-                    const oktaOinClient = clientData === null || clientData === void 0 ? void 0 : clientData.find((c) => c.name === oktaOinClientName);
-                    if (oktaOinClient) {
-                        client.express_configuration.okta_oin_client_id = oktaOinClient.client_id;
-                    }
+            }
+            const oktaOinClientName = client.express_configuration.okta_oin_client_id;
+            if (oktaOinClientName) {
+                const oktaOinClient = clientData?.find((c) => c.name === oktaOinClientName);
+                if (oktaOinClient?.client_id) {
+                    client.express_configuration.okta_oin_client_id = oktaOinClient.client_id;
                 }
-                return client;
-            });
+            }
+            return client;
         });
     }
 }
 exports.default = ClientHandler;
-//# sourceMappingURL=clients.js.map

package/lib/tools/auth0/handlers/connectionProfiles.d.ts

@@ -1,4 +1,4 @@
-import { ConnectionProfile } from 'auth0';
+import { Management } from 'auth0';
 import { Assets, Auth0APIClient } from '../../../types';
 import DefaultAPIHandler from './default';
 export declare const schema: {
@@ -173,10 +173,12 @@ export declare const schema: {
         required: string[];
     };
 };
+export type ConnectionProfile = Management.ConnectionProfile;
 export declare const getConnectionProfile: (auth0Client: Auth0APIClient) => Promise<ConnectionProfile[]>;
 export default class ConnectionProfilesHandler extends DefaultAPIHandler {
     existing: ConnectionProfile[];
     constructor(config: DefaultAPIHandler);
+    objString(item: any): string;
     getType(): Promise<ConnectionProfile[]>;
     processChanges(assets: Assets): Promise<void>;
 }

package/lib/tools/auth0/handlers/connectionProfiles.js

@@ -1,13 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -188,10 +179,9 @@ exports.schema = {
         required: ['name'],
     },
 };
-const getConnectionProfile = (auth0Client) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
+const getConnectionProfile = async (auth0Client) => {
     try {
-        const connectionProfiles = yield (0, client_1.paginate)((_a = auth0Client.connectionProfiles) === null || _a === void 0 ? void 0 : _a.getAll, {
+        const connectionProfiles = await (0, client_1.paginate)(auth0Client.connectionProfiles?.list, {
             checkpoint: true,
             take: 10,
         });
@@ -207,33 +197,47 @@ const getConnectionProfile = (auth0Client) => __awaiter(void 0, void 0, void 0,
         }
         throw err;
     }
-});
+};
 exports.getConnectionProfile = getConnectionProfile;
 class ConnectionProfilesHandler extends default_1.default {
     constructor(config) {
-        super(Object.assign(Object.assign({}, config), { type: 'connectionProfiles', id: 'id', identifiers: ['id', 'name'], stripUpdateFields: ['id'] }));
-    }
-    getType() {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (this.existing)
-                return this.existing;
-            this.existing = yield (0, exports.getConnectionProfile)(this.client);
-            return this.existing;
+        super({
+            ...config,
+            type: 'connectionProfiles',
+            id: 'id',
+            identifiers: ['id', 'name'],
+            functions: {
+                update: (args, data) => this.client.connectionProfiles.update(args?.id, data),
+            },
         });
     }
-    processChanges(assets) {
-        const _super = Object.create(null, {
-            processChanges: { get: () => super.processChanges }
+    objString(item) {
+        return super.objString({
+            name: item.name,
         });
-        return __awaiter(this, void 0, void 0, function* () {
-            const { connectionProfiles } = assets;
-            // Do nothing if not set
-            if (!connectionProfiles)
-                return;
-            // Process using the default implementation
-            yield _super.processChanges.call(this, assets, yield this.calcChanges(assets));
+    }
+    async getType() {
+        if (this.existing)
+            return this.existing;
+        this.existing = await (0, exports.getConnectionProfile)(this.client);
+        return this.existing;
+    }
+    async processChanges(assets) {
+        const { connectionProfiles } = assets;
+        // Do nothing if not set
+        if (!connectionProfiles)
+            return;
+        const { del, update, create, conflicts } = await this.calcChanges(assets);
+        const changes = {
+            del: del,
+            update: update,
+            create: create,
+            conflicts: conflicts,
+        };
+        // Process using the default implementation
+        await super.processChanges(assets, {
+            ...changes,
         });
     }
 }
 exports.default = ConnectionProfilesHandler;
-//# sourceMappingURL=connectionProfiles.js.map

package/lib/tools/auth0/handlers/connections.d.ts

@@ -1,3 +1,4 @@
+import { Management } from 'auth0';
 import DefaultAPIHandler from './default';
 import { CalculatedChanges, Asset, Assets, Auth0APIClient } from '../../../types';
 import { ConfigFunction } from '../../../configFactory';
@@ -81,6 +82,7 @@ export declare const schema: {
         required: string[];
     };
 };
+export type Connection = Management.ConnectionForList;
 export declare const addExcludedConnectionPropertiesToChanges: ({ proposedChanges, existingConnections, config, }: {
     proposedChanges: CalculatedChanges;
     existingConnections: Asset[];
@@ -124,7 +126,7 @@ export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClien
  */
 export declare const processConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, changes: CalculatedChanges, delayMs?: number) => Promise<void>;
 export default class ConnectionsHandler extends DefaultAPIHandler {
-    existing: Asset[] | null;
+    existing: Connection[] | null;
     scimHandler: ScimHandler;
     constructor(config: DefaultAPIHandler);
     objString(connection: any): string;