UNPKG

moleculer-iam

Version:

Centralized IAM module for moleculer. Including a certified OIDC provider and an Identity provider for user profile, credentials, and custom claims management. Custom claims could be defined/updated by declarative schema which contains claims validation a

qmit-pro/moleculer-iam

224 lines 8.97 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.OIDCProviderProxy = void 0; const tslib_1 = require("tslib"); const kleur = tslib_1.__importStar(require("kleur")); const uuid_1 = require("uuid"); const accept_language_parser_1 = require("accept-language-parser"); const app_1 = require("../app"); const config_1 = require("./config"); const error_types_1 = require("./error.types"); // ref: https://github.com/panva/node-oidc-provider/blob/9306f66bdbcdff01400773f26539cf35951b9ce8/lib/models/client.js#L385 // @ts-ignore : need to hack oidc-provider private methods const weak_cache_1 = tslib_1.__importDefault(require("oidc-provider/lib/helpers/weak_cache")); let OIDCProviderProxy = /** @class */ (() => { class OIDCProviderProxy { constructor(props, options) { this.props = props; const { logger, idp } = props; this.logger = logger; // apply static options and get the provider instance and proxy config which can be set dynamically const { app, ...staticConfig } = options; const builder = new config_1.ProviderConfigBuilder({ logger, idp, }, staticConfig); // build main logic with options app_1.buildApplication(builder, app); // create provider and adapter this.provider = builder._dangerouslyBuild(); this.adapter = builder.adapter; } get hidden() { return weak_cache_1.default(this.provider); } // http handler application (Koa) get app() { return this.provider.app; } get configuration() { return this.hidden.configuration(); } get supportedLocales() { if (!this._supportedLocales) { this._supportedLocales = [...new Set([...this.configuration.discovery.ui_locales_supported || []])]; } return this._supportedLocales; } parseLocale(locale) { const locales = this.supportedLocales; const raw = accept_language_parser_1.pick(locales, locale || "", { loose: true }) || locales[0] || "ko-KR"; const [language, region] = raw.split("-"); const [_, requestedRegion] = (locale || "").split("-"); // request locale region will take precedence over matched one return { language, region: requestedRegion || region || "KR" }; } get issuer() { return this.provider.issuer; } async start() { await this.adapter.start(); await this.syncSupportedClaimsAndScopes(); } stop() { return this.adapter.stop(); } // programmable interfaces get Session() { return this.adapter.getModel("Session"); } get AccessToken() { return this.adapter.getModel("AccessToken"); } get AuthorizationCode() { return this.adapter.getModel("AuthorizationCode"); } get RefreshToken() { return this.adapter.getModel("RefreshToken"); } get DeviceCode() { return this.adapter.getModel("DeviceCode"); } get ClientCredentials() { return this.adapter.getModel("ClientCredentials"); } get Client() { return this.adapter.getModel("Client"); } get InitialAccessToken() { return this.adapter.getModel("InitialAccessToken"); } get RegistrationAccessToken() { return this.adapter.getModel("RegistrationAccessToken"); } get Interaction() { return this.adapter.getModel("Interaction"); } get ReplayDetection() { return this.adapter.getModel("ReplayDetection"); } get PushedAuthorizationRequest() { return this.adapter.getModel("PushedAuthorizationRequest"); } async findClient(id) { return this.Client.find(id); } async findClientOrFail(id) { const client = await this.findClient(id); if (!client) { throw new error_types_1.OIDCErrors.InvalidClient("client_not_found"); } return client; } async createClient(metadata) { if (metadata.client_id && await this.findClient(metadata.client_id)) { throw new error_types_1.OIDCErrors.InvalidClient("client_id_duplicated"); } this.logger.info(`create client ${kleur.cyan(metadata.client_id)}:`, metadata); const client = await this.hidden.clientAdd({ ...metadata, client_secret: OIDCProviderProxy.generateClientSecret(), }, { store: true }); return client.metadata(); } async updateClient(metadata) { const old = await this.findClient(metadata.client_id); // update client_secret if (metadata.reset_client_secret === true) { metadata = { ...metadata, client_secret: OIDCProviderProxy.generateClientSecret(), }; delete metadata.reset_client_secret; } this.logger.info(`update client ${kleur.cyan(metadata.client_id || "<unknown>")}:`, require("util").inspect(metadata)); const client = await this.hidden.clientAdd({ ...old, ...metadata, }, { store: true }); return client.metadata(); } async deleteClient(id) { await this.findClientOrFail(id); this.logger.info(`delete client ${kleur.cyan(id)}`); this.hidden.clientRemove(id); } async getClients(args) { return this.Client.get(args); } async countClients(args) { return this.Client.count(args); } static generateClientSecret() { return uuid_1.v4().replace(/\-/g, "") + uuid_1.v4().replace(/\-/g, ""); } async countModels(kind, args) { const model = this.adapter.getModel(kind); return model.count(args); } async getModels(kind, args) { const model = this.adapter.getModel(kind); return model.get(args); } async deleteModels(kind, args) { const model = this.adapter.getModel(kind); return model.delete(args); } async syncSupportedClaimsAndScopes() { // set available scopes and claims const claimsSchemata = await this.props.idp.claims.getActiveClaimsSchemata(); this.updateSupportedClaimsAndScopes(claimsSchemata); } // set supported claims and scopes (hacky) // ref: https://github.com/panva/node-oidc-provider/blob/ae8a4589c582b96f4e9ca0432307da15792ac29d/lib/helpers/claims.js#L54 updateSupportedClaimsAndScopes(defs) { const config = this.configuration; const claimsFilter = config.claims; const claimsSupported = config.claimsSupported; defs.forEach(schema => { let obj = claimsFilter.get(schema.scope); if (obj === null) { return; } if (!obj) { obj = {}; claimsFilter.set(schema.scope, obj); } obj[schema.key] = null; claimsSupported.add(schema.key); }); const scopes = config.scopes; const availableScopes = defs.map(schema => schema.scope).concat(["openid", "offline_access"]); for (const s of availableScopes) { scopes.add(s); } for (const s of scopes.values()) { if (!availableScopes.includes(s)) { scopes.delete(s); } } // log result this.logger.info(`available claims for each scopes has been updated:\n${[...claimsFilter.entries()] .map(([scope, claims]) => { return claims ? `${kleur.green(scope.padEnd(20))}: ${kleur.white(Object.keys(claims).join(", "))}` : `${kleur.green().dim("(token)".padEnd(20))}: ${kleur.dim(scope)}`; }) .join("\n")}`); } } OIDCProviderProxy.volatileModelNames = [ "Session", "AccessToken", "AuthorizationCode", "RefreshToken", "DeviceCode", "InitialAccessToken", "RegistrationAccessToken", "Interaction", "ReplayDetection", "PushedAuthorizationRequest", ]; return OIDCProviderProxy; })(); exports.OIDCProviderProxy = OIDCProviderProxy; //# sourceMappingURL=proxy.js.map