@sap/xssec
Version:
XS Advanced Container Security API for node.js
404 lines • 20 kB
TypeScript
export = Service;
/**
* @typedef {import('../token/Token')} Token
* @typedef {import('../context/SecurityContext')} SecurityContext
* @typedef {import('../jwks/Jwks')} Jwks
* @typedef {import('../error/validation/ValidationError')} ValidationError
* @typedef {import('../util/Types').ServiceCredentials} ServiceCredentials
* @typedef {import('../util/Types').ServiceConfig} ServiceConfig
* @typedef {import('../util/Types').SecurityContextConfig} SecurityContextConfig
* @typedef {import('../util/Types').TokenFetchOptions} TokenFetchOptions
* @typedef {import('../util/Types').TokenFetchResponse} TokenFetchResponse
* @typedef {import('../util/Types').GrantType} GrantType
*/
declare class Service {
/** @type {import("../util/Types").ExponentialBackoffRetryConfig} */
static DEFAULT_RETRY_CONFIG: import("../util/Types").ExponentialBackoffRetryConfig;
/** @type {import("../util/Types").CacheConfig} */
static DEFAULT_SIGNATURE_CACHE_CONFIG: import("../util/Types").CacheConfig;
/** @type {import("../util/Types").CacheConfig} */
static DEFAULT_TOKEN_CACHE_CONFIG: import("../util/Types").CacheConfig;
/**
* Minimum remaining token lifetime in seconds for cached tokens.
* Tokens with less remaining lifetime will be refreshed.
* @type {number}
*/
static DEFAULT_TOKEN_CACHE_LEEWAY: number;
/** @type {ResponseCache} */
static "__#private@#sharedOidcCache": ResponseCache;
/**
* JWKS cache instances shared by Service subclasses indexed by their constructor name.
* @type {Object.<string, ResponseCache>}
*/
static "__#private@#sharedJwksCaches": {
[x: string]: ResponseCache;
};
/**
* Signature cache instances shared by Service subclasses indexed by their constructor name.
* @type {Object.<string, LRUCache>}
*/
static "__#private@#sharedSignatureCaches": {
[x: string]: LRUCache;
};
/**
* Retrieves or creates the signature cache shared by all instances of this Service subclass.
* @param {import("../util/Types").CacheConfig} config
* @returns {LRUCache} the shared signature cache
* @throws {ConfigurationError} if a shared signature cache with a different size has already been created by another Service configuration for the same Service subclass.
*/
static "__#private@#getSharedSignatureCache"(config: import("../util/Types").CacheConfig): LRUCache;
/**
* Builds the configuration of this service based on the provided configuration and default values.
* @param {ServiceConfig} config
*/
static buildServiceConfiguration(config: ServiceConfig): import("../util/Types").ServiceConfig;
/**
* @param {ServiceCredentials} credentials
* @param {ServiceConfig} [serviceConfiguration={}]
*/
constructor(credentials: ServiceCredentials, serviceConfiguration?: ServiceConfig);
/** @type {ServiceCredentials} */
credentials: ServiceCredentials;
/** @type {ServiceConfig} */
config: ServiceConfig;
/**
* Context extensions that will be applied when creating security contexts on this instance.
* @type {import("../util/Types").ContextExtension<SecurityContext>[]}
*/
contextExtensions: import("../util/Types").ContextExtension<SecurityContext>[];
/**
* @internal
* Returns the paths of the relevant OIDC endpoints for this service based on
* custom endpoints from service configuration or default values.
*
* @returns {Object.<string, string>} endpoints
*/
get endpoints(): {
[x: string]: string;
};
/**
* @internal
* Sets the OIDC cache shared by all Service instances.
*/
set oidcCache(cache: import("../cache/ResponseCache"));
/**
* @internal
* Gets the OIDC cache shared by all Service instances.
*
* @returns {import("../cache/ResponseCache")} The OIDC cache.
*/
get oidcCache(): import("../cache/ResponseCache");
/**
* @internal
* Gets the JWKS cache for this Service instance.
*
* @returns {import("../cache/ResponseCache")} The JWKS cache.
*/
get jwksCache(): import("../cache/ResponseCache");
/**
* @internal
* Gets the signature cache for this Service instance.
*
* @returns {import("../util/Types").Cache} The signature cache.
*/
get signatureCache(): import("../util/Types").Cache;
/**
* Gets the token fetch cache for this Service instance.
* Can be used to re-use the cache when creating a second Service instance, e.g.:
* ```js
* const service2 = new XsuaaService(credentials, { tokenfetch: { cache: { impl: service1.tokenFetchCache } } });
* ```
*
* @returns {import("../util/Types").Cache} The token fetch cache, or null if token fetch caching is disabled.
*/
get tokenFetchCache(): import("../util/Types").Cache;
/**
* Checks if this service is the recipient of the given token.
* @param {Token} token
* @returns {Boolean}
*/
acceptsTokenAudience(token: Token): boolean;
/**
* Called internally to validate the credentials to have the necessary properties before performing a specific action, e.g. token fetch.
*
* @internal
* @param {string} action description of action for which the credentials are being validated.
* @param {...string} mandatoryProperties mandatory properties that must be present in the credentials.
* @throws {InvalidCredentialsError} if any of the mandatory properties are missing in the credentials.
*/
validateCredentials(action: string, ...mandatoryProperties: string[]): void;
/**
* Checks if the given token is valid under the given contextConfig.
* @param {Token} token
* @param {SecurityContextConfig} contextConfig
* @throws {ValidationError} if the token is not valid or could not be validated
*/
validateToken(token: Token, contextConfig: SecurityContextConfig): Promise<void>;
/**
* Checks if the given token's signature is valid under the given contextConfig.
* @param {Token} token
* @param {SecurityContextConfig} contextConfig
* @returns {Promise<void>} resolves when token signature is valid, otherwise error is thrown
* @throws {ValidationError} if the token signature is not valid or could not be validated
*/
validateTokenSignature(token: Token, contextConfig: SecurityContextConfig): Promise<void>;
/**
* @param {object} [requestOptions]
* @param {string} [requestOptions.correlationId]
*/
getOpenIDConfiguration({ correlationId }?: {
correlationId?: string;
}): Promise<any>;
/**
* @param {object} [requestOptions]
* @param {string} [requestOptions.correlationId]
*/
fetchOpenIDConfiguration({ correlationId }?: {
correlationId?: string;
}): Promise<any>;
/**
* Gets a cached client credentials token or fetches a new one if not cached or expired.
* Uses the token cache configured on this service instance to store token responses.
* Cached tokens are re-used for subsequent requests with the same parameters.
* The minimum guaranteed lifetime of returned tokens is 5 minutes.
* If no token cache is configured on this service instance, the token is fetched directly without caching.
*
* @param {TokenFetchOptions} options
* @returns {Promise<TokenFetchResponse>} response
*/
getClientCredentialsToken(options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Gets a cached JWT bearer token or fetches a new one if not cached or expired.
* Uses the token cache configured on this service instance to store token responses.
* Cached tokens are re-used for subsequent requests with the same parameters.
* The minimum guaranteed lifetime of returned tokens is 5 minutes.
* If no token cache is configured on this service instance, the token is fetched directly without caching.
*
* @param {String} assertion - JWT bearer token used as assertion
* @param {TokenFetchOptions} options
* @returns {Promise<TokenFetchResponse>} response
*/
getJwtBearerToken(assertion: string, options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Gets a cached password token or fetches a new one if not cached or expired.
* Uses the token cache configured on this service instance to store token responses.
* Cached tokens are re-used for subsequent requests with the same parameters.
* The minimum guaranteed lifetime of returned tokens is 5 minutes.
* If no token cache is configured on this service instance, the token is fetched directly without caching.
*
* @param {String} username
* @param {String} password
* @param {TokenFetchOptions} options
* @returns {Promise<TokenFetchResponse>} response
*/
getPasswordToken(username: string, password: string, options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Fetches a token from this service with this service's client credentials.
* @param {TokenFetchOptions} options
* @returns {Promise<TokenFetchResponse>} response
*/
fetchClientCredentialsToken(options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Fetches a user token from this service with the given username and password.
* @param {String} username
* @param {String} password
* @param {TokenFetchOptions} options
* @returns {Promise<TokenFetchResponse>} response
*/
fetchPasswordToken(username: string, password: string, options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Fetches a JWT bearer token from this service with the given user token as assertion.
* @param {TokenFetchOptions} options - default timeout is 10 seconds as JWT bearer can be slow
* @returns {Promise<TokenFetchResponse>} response
*/
fetchJwtBearerToken(assertion: any, options?: TokenFetchOptions): Promise<TokenFetchResponse>;
/**
* Builds a request for this service based on the service configuration and the given request options.
* For example, the request will use the timeout value from the service configuration if not overridden in the request options.
*
* @internal
* @param {import("node:https").RequestOptions} [requestOptions] - options for the request
*/
buildRequest(requestOptions?: import("node:https").RequestOptions): {
checkServerIdentity?: ((hostname: string, cert: import("node:tls").DetailedPeerCertificate) => Error | undefined) | undefined;
rejectUnauthorized?: boolean | undefined;
servername?: string | undefined;
_defaultAgent?: import("node:http").Agent | undefined;
agent?: import("node:http").Agent | boolean | undefined;
auth?: string | null | undefined;
createConnection?: ((options: import("node:http").ClientRequestArgs, oncreate: (err: Error | null, socket: import("node:stream").Duplex) => void) => import("node:stream").Duplex | null | undefined) | undefined;
defaultPort?: number | string | undefined;
family?: number | undefined;
headers?: import("node:http").OutgoingHttpHeaders | readonly string[] | undefined;
host?: string | null | undefined;
hostname?: string | null | undefined;
insecureHTTPParser?: boolean | undefined;
localAddress?: string | undefined;
localPort?: number | undefined;
lookup?: import("node:net").LookupFunction | undefined;
maxHeaderSize?: number | undefined;
method?: string | undefined;
path?: string | null | undefined;
port?: number | string | null | undefined;
protocol?: string | null | undefined;
setDefaultHeaders?: boolean | undefined;
setHost?: boolean | undefined;
signal?: AbortSignal | undefined;
socketPath?: string | undefined;
timeout: number | undefined;
uniqueHeaders?: Array<string | string[]> | undefined;
joinDuplicateHeaders?: boolean | undefined;
hints?: number | undefined;
ALPNCallback?: ((arg: {
servername: string;
protocols: string[];
}) => string | undefined) | undefined;
allowPartialTrustChain?: boolean | undefined;
ca?: string | Buffer | Array<string | Buffer> | undefined;
cert?: string | Buffer | Array<string | Buffer> | undefined;
sigalgs?: string | undefined;
ciphers?: string | undefined;
clientCertEngine?: string | undefined;
crl?: string | Buffer | Array<string | Buffer> | undefined;
dhparam?: string | Buffer | undefined;
ecdhCurve?: string | undefined;
honorCipherOrder?: boolean | undefined;
key?: string | Buffer | Array<string | Buffer | import("node:tls").KeyObject> | undefined;
privateKeyEngine?: string | undefined;
privateKeyIdentifier?: string | undefined;
maxVersion?: import("node:tls").SecureVersion | undefined;
minVersion?: import("node:tls").SecureVersion | undefined;
passphrase?: string | undefined;
pfx?: string | Buffer | Array<string | Buffer | import("node:tls").PxfObject> | undefined;
secureOptions?: number | undefined;
secureProtocol?: string | undefined;
sessionIdContext?: string | undefined;
ticketKeys?: Buffer | undefined;
sessionTimeout?: number | undefined;
retry: boolean | import("../util/Types").RetryConfig;
};
/**
* Builds a token request for this service with the given grant_type and options.
*
* @param {String} grant_type
* @param {TokenFetchOptions} options
*/
buildTokenRequest(grant_type: string, options: TokenFetchOptions): {
checkServerIdentity?: ((hostname: string, cert: import("node:tls").DetailedPeerCertificate) => Error | undefined) | undefined;
rejectUnauthorized?: boolean | undefined;
servername?: string | undefined;
_defaultAgent?: import("node:http").Agent | undefined;
agent?: import("node:http").Agent | boolean | undefined;
auth?: string | null | undefined;
createConnection?: ((options: import("node:http").ClientRequestArgs, oncreate: (err: Error | null, socket: import("node:stream").Duplex) => void) => import("node:stream").Duplex | null | undefined) | undefined;
defaultPort?: number | string | undefined;
family?: number | undefined;
headers?: import("node:http").OutgoingHttpHeaders | readonly string[] | undefined;
host?: string | null | undefined;
hostname?: string | null | undefined;
insecureHTTPParser?: boolean | undefined;
localAddress?: string | undefined;
localPort?: number | undefined;
lookup?: import("node:net").LookupFunction | undefined;
maxHeaderSize?: number | undefined;
method?: string | undefined;
path?: string | null | undefined;
port?: number | string | null | undefined;
protocol?: string | null | undefined;
setDefaultHeaders?: boolean | undefined;
setHost?: boolean | undefined;
signal?: AbortSignal | undefined;
socketPath?: string | undefined;
timeout: number | undefined;
uniqueHeaders?: Array<string | string[]> | undefined;
joinDuplicateHeaders?: boolean | undefined;
hints?: number | undefined;
ALPNCallback?: ((arg: {
servername: string;
protocols: string[];
}) => string | undefined) | undefined;
allowPartialTrustChain?: boolean | undefined;
ca?: string | Buffer | Array<string | Buffer> | undefined;
cert?: string | Buffer | Array<string | Buffer> | undefined;
sigalgs?: string | undefined;
ciphers?: string | undefined;
clientCertEngine?: string | undefined;
crl?: string | Buffer | Array<string | Buffer> | undefined;
dhparam?: string | Buffer | undefined;
ecdhCurve?: string | undefined;
honorCipherOrder?: boolean | undefined;
key?: string | Buffer | Array<string | Buffer | import("node:tls").KeyObject> | undefined;
privateKeyEngine?: string | undefined;
privateKeyIdentifier?: string | undefined;
maxVersion?: import("node:tls").SecureVersion | undefined;
minVersion?: import("node:tls").SecureVersion | undefined;
passphrase?: string | undefined;
pfx?: string | Buffer | Array<string | Buffer | import("node:tls").PxfObject> | undefined;
secureOptions?: number | undefined;
secureProtocol?: string | undefined;
sessionIdContext?: string | undefined;
ticketKeys?: Buffer | undefined;
sessionTimeout?: number | undefined;
retry: boolean | import("../util/Types").RetryConfig;
};
/**
* Prepares the given request to use this service's client credentials for authentication.
* Adds clientid and either clientsecret or an mTLS agent based on client certificate, depending on the type of credentials.
* @param {RequestInit} request
* @param {URLSearchParams} request.body
* @param {TokenFetchOptions} options
*/
addClientAuthentication(request: RequestInit, options?: TokenFetchOptions): void;
/**
* Updates the certificate and key in the service credentials for authentication of subsequent requests.
* @param {String} cert PEM-encoded client certificate
* @param {String} key PEM-encoded client key
* @returns {void}
*/
setCertificateAndKey(cert: string, key: string): void;
/**
* Creates a new {@link SecurityContext} from this service with the given token.
* @abstract
* @param {String|Token} token as JWT or Token object
* @param {SecurityContextConfig} contextConfig
* @returns {Promise<SecurityContext>} securityContext
*/
createSecurityContext(token: string | Token, contextConfig?: SecurityContextConfig): Promise<SecurityContext>;
/**
* Retrieves the JWKS (JSON Web Key Set) for the given token and context configuration.
*
* @param {string} token the token for which to retrieve the JWKS.
* @param {SecurityContextConfig} contextConfig the context configuration object.
* @returns {Promise<Jwks>} A promise that resolves to the JWKS (JSON Web Key Set) object.
* @throws {Error} If an error occurs while retrieving the JWKS.
*/
getJwks(token: string, contextConfig: SecurityContextConfig): Promise<Jwks>;
/**
* Determines the URL that can be used for fetching tokens of given grant_type from this service.
* @abstract
* @param {GrantType} grant_type
* @param {Object} options
* @param {String} options.correlationId
* @returns {Promise<URL>} URL of the service's token endpoint
*/
getTokenUrl(grant_type: GrantType, options?: {
correlationId: string;
}): Promise<URL>;
#private;
}
declare namespace Service {
export { Token, SecurityContext, Jwks, ValidationError, ServiceCredentials, ServiceConfig, SecurityContextConfig, TokenFetchOptions, TokenFetchResponse, GrantType };
}
import ResponseCache = require("../cache/ResponseCache");
import LRUCache = require("../cache/LRUCache");
type Token = import("../token/Token");
type SecurityContext = import("../context/SecurityContext")<any, any>;
type Jwks = import("../jwks/Jwks");
type ValidationError = import("../error/validation/ValidationError");
type ServiceCredentials = import("../util/Types").ServiceCredentials;
type ServiceConfig = import("../util/Types").ServiceConfig;
type SecurityContextConfig = import("../util/Types").SecurityContextConfig;
type TokenFetchOptions = import("../util/Types").TokenFetchOptions;
type TokenFetchResponse = import("../util/Types").TokenFetchResponse;
type GrantType = import("../util/Types").GrantType;
//# sourceMappingURL=Service.d.ts.map