-
Notifications
You must be signed in to change notification settings - Fork 679
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
661e5ec
commit c90e423
Showing
14 changed files
with
632 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
backend/src/db/migrations/20240702153745_identity-oidc-auth.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
import { Knex } from "knex"; | ||
|
||
import { TableName } from "../schemas"; | ||
import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils"; | ||
|
||
export async function up(knex: Knex): Promise<void> { | ||
if (!(await knex.schema.hasTable(TableName.IdentityOidcAuth))) { | ||
await knex.schema.createTable(TableName.IdentityOidcAuth, (t) => { | ||
t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); | ||
t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable(); | ||
t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable(); | ||
t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable(); | ||
t.jsonb("accessTokenTrustedIps").notNullable(); | ||
t.uuid("identityId").notNullable().unique(); | ||
t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE"); | ||
t.string("oidcDiscoveryUrl").notNullable(); | ||
t.text("encryptedCaCert").notNullable(); | ||
t.string("caCertIV").notNullable(); | ||
t.string("caCertTag").notNullable(); | ||
t.string("boundIssuer").notNullable(); | ||
t.string("boundAudiences").notNullable(); | ||
t.jsonb("boundClaims").notNullable(); | ||
t.string("boundSubject"); | ||
t.timestamps(true, true, true); | ||
}); | ||
|
||
await createOnUpdateTrigger(knex, TableName.IdentityOidcAuth); | ||
} | ||
} | ||
|
||
export async function down(knex: Knex): Promise<void> { | ||
await knex.schema.dropTableIfExists(TableName.IdentityOidcAuth); | ||
await dropOnUpdateTrigger(knex, TableName.IdentityOidcAuth); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// Code generated by automation script, DO NOT EDIT. | ||
// Automated by pulling database and generating zod schema | ||
// To update. Just run npm run generate:schema | ||
// Written by akhilmhdh. | ||
|
||
import { z } from "zod"; | ||
|
||
import { TImmutableDBKeys } from "./models"; | ||
|
||
export const IdentityOidcAuthsSchema = z.object({ | ||
id: z.string().uuid(), | ||
accessTokenTTL: z.coerce.number().default(7200), | ||
accessTokenMaxTTL: z.coerce.number().default(7200), | ||
accessTokenNumUsesLimit: z.coerce.number().default(0), | ||
accessTokenTrustedIps: z.unknown(), | ||
identityId: z.string().uuid(), | ||
oidcDiscoveryUrl: z.string(), | ||
encryptedCaCert: z.string(), | ||
caCertIV: z.string(), | ||
caCertTag: z.string(), | ||
boundIssuer: z.string(), | ||
boundAudiences: z.string(), | ||
boundClaims: z.unknown(), | ||
boundSubject: z.string().nullable().optional(), | ||
createdAt: z.date(), | ||
updatedAt: z.date() | ||
}); | ||
|
||
export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>; | ||
export type TIdentityOidcAuthsInsert = Omit<z.input<typeof IdentityOidcAuthsSchema>, TImmutableDBKeys>; | ||
export type TIdentityOidcAuthsUpdate = Partial<Omit<z.input<typeof IdentityOidcAuthsSchema>, TImmutableDBKeys>>; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
import { z } from "zod"; | ||
|
||
import { IdentityOidcAuthsSchema } from "@app/db/schemas"; | ||
import { writeLimit } from "@app/server/config/rateLimiter"; | ||
import { verifyAuth } from "@app/server/plugins/auth/verify-auth"; | ||
import { AuthMode } from "@app/services/auth/auth-type"; | ||
import { validateOidcAuthAudiencesField } from "@app/services/identity-oidc-auth/identity-oidc-auth-validators"; | ||
|
||
export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) => { | ||
server.route({ | ||
method: "POST", | ||
url: "/oidc-auth/identities/:identityId", | ||
config: { | ||
rateLimit: writeLimit | ||
}, | ||
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]), | ||
schema: { | ||
description: "Attach OIDC Auth configuration onto identity", | ||
security: [ | ||
{ | ||
bearerAuth: [] | ||
} | ||
], | ||
params: z.object({ | ||
identityId: z.string().trim() | ||
}), | ||
body: z.object({ | ||
accessTokenTrustedIps: z | ||
.object({ | ||
ipAddress: z.string().trim() | ||
}) | ||
.array() | ||
.min(1) | ||
.default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]), | ||
accessTokenTTL: z | ||
.number() | ||
.int() | ||
.min(1) | ||
.refine((value) => value !== 0, { | ||
message: "accessTokenTTL must have a non zero number" | ||
}) | ||
.default(2592000), | ||
accessTokenMaxTTL: z | ||
.number() | ||
.int() | ||
.refine((value) => value !== 0, { | ||
message: "accessTokenMaxTTL must have a non zero number" | ||
}) | ||
.default(2592000), | ||
accessTokenNumUsesLimit: z.number().int().min(0).default(0), | ||
oidcDiscoveryUrl: z.string().url().min(1), | ||
caCert: z.string().trim().default(""), | ||
boundIssuer: z.string().min(1), | ||
boundAudiences: validateOidcAuthAudiencesField, | ||
boundClaims: z.record(z.string()), | ||
boundSubject: z.string().optional() | ||
}), | ||
response: { | ||
200: z.object({ | ||
identityOidcAuth: IdentityOidcAuthsSchema | ||
}) | ||
} | ||
}, | ||
handler: async () => {} | ||
}); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
backend/src/services/identity-oidc-auth/identity-oidc-auth-dal.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
import { TDbClient } from "@app/db"; | ||
import { TableName } from "@app/db/schemas"; | ||
import { ormify } from "@app/lib/knex"; | ||
|
||
export type TIdentityOidcAuthDALFactory = ReturnType<typeof identityOidcAuthDALFactory>; | ||
|
||
export const identityOidcAuthDALFactory = (db: TDbClient) => { | ||
const oidcAuthOrm = ormify(db, TableName.IdentityOidcAuth); | ||
return oidcAuthOrm; | ||
}; |
11 changes: 11 additions & 0 deletions
11
backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal"; | ||
|
||
type TIdentityOidcAuthServiceFactoryDep = { | ||
identityOidcAuthDAL: TIdentityOidcAuthDALFactory; | ||
}; | ||
|
||
export type TIdentityOidcAuthServiceFactory = ReturnType<typeof identityOidcAuthServiceFactory>; | ||
|
||
export const identityOidcAuthServiceFactory = ({ identityOidcAuthDAL }: TIdentityOidcAuthServiceFactoryDep) => { | ||
return {}; | ||
}; |
Empty file.
14 changes: 14 additions & 0 deletions
14
backend/src/services/identity-oidc-auth/identity-oidc-auth-validators.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
import { z } from "zod"; | ||
|
||
export const validateOidcAuthAudiencesField = z | ||
.string() | ||
.trim() | ||
.default("") | ||
.transform((data) => { | ||
if (data === "") return ""; | ||
// Trim each ID and join with ', ' to ensure formatting | ||
return data | ||
.split(",") | ||
.map((id) => id.trim()) | ||
.join(", "); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.