mizzkey/packages/backend/src/server/api/endpoints/admin/sso/update.ts

import * as jose from 'jose';
import { Inject, Injectable } from '@nestjs/common';
import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
import { DI } from '@/di-symbols.js';
import { Endpoint } from '@/server/api/endpoint-base.js';
import { ModerationLogService } from '@/core/ModerationLogService.js';
import { ApiError } from '../../../error.js';

export const meta = {
	tags: ['admin'],

	requireCredential: true,
	requireAdmin: true,
	kind: 'write:admin:sso',

	errors: {
		noSuchSingleSignOnServiceProvider: {
			message: 'No such SSO Service Provider',
			code: 'NO_SUCH_SSO_SP',
			id: '2f481db0-23f5-4380-8cb8-704169ffb25b',
		},
	},
} as const;

export const paramDef = {
	type: 'object',
	properties: {
		id: { type: 'string', nullable: false },
		name: { type: 'string', nullable: true },
		issuer: { type: 'string', nullable: false },
		audience: { type: 'array', items: { type: 'string', nullable: false } },
		binding: { type: 'string', enum: ['post', 'redirect'], nullable: false },
		acsUrl: { type: 'string', nullable: false },
		signatureAlgorithm: { type: 'string', nullable: false },
		cipherAlgorithm: { type: 'string', nullable: true },
		wantAuthnRequestsSigned: { type: 'boolean', nullable: false },
		wantAssertionsSigned: { type: 'boolean', nullable: false },
		regenerateCertificate: { type: 'boolean', nullable: true },
		secret: { type: 'string', nullable: true },
	},
	required: ['id'],
} as const;

@Injectable()
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
	constructor(
		@Inject(DI.singleSignOnServiceProviderRepository)
		private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,

		private moderationLogService: ModerationLogService,
	) {
		super(meta, paramDef, async (ps, me) => {
			const service = await this.singleSignOnServiceProviderRepository.findOneBy({ id: ps.id });

			if (service == null) throw new ApiError(meta.errors.noSuchSingleSignOnServiceProvider);

			const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;
			const { publicKey, privateKey } = ps.regenerateCertificate
				? await jose.generateKeyPair(alg).then(async keypair => ({
					publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
					privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
				}))
				: { publicKey: ps.secret ?? undefined, privateKey: undefined };

			await this.singleSignOnServiceProviderRepository.update(service.id, {
				name: ps.name !== '' ? ps.name : null,
				issuer: ps.issuer,
				audience: ps.audience?.filter(i => i.length > 0),
				binding: ps.binding,
				acsUrl: ps.acsUrl,
				publicKey: publicKey,
				privateKey: privateKey,
				signatureAlgorithm: ps.signatureAlgorithm,
				cipherAlgorithm: ps.cipherAlgorithm !== '' ? ps.cipherAlgorithm : null,
				wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
				wantAssertionsSigned: ps.wantAssertionsSigned,
			});

			const updatedService = await this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: service.id });

			this.moderationLogService.log(me, 'updateSSOServiceProvider', {
				serviceId: service.id,
				before: service,
				after: updatedService,
			});
		});
	}
}
feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519) 2024-03-15 01:30:56 +09:00			`import * as jose from 'jose';`
			`import { Inject, Injectable } from '@nestjs/common';`
			`import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';`
			`import { DI } from '@/di-symbols.js';`
			`import { Endpoint } from '@/server/api/endpoint-base.js';`
			`import { ModerationLogService } from '@/core/ModerationLogService.js';`
			`import { ApiError } from '../../../error.js';`

			`export const meta = {`
			`tags: ['admin'],`

			`requireCredential: true,`
enhance(SSO): SAML認証でHTTP-POSTバインディングに対応 (MisskeyIO#531) 2024-03-17 20:58:53 +09:00			`requireAdmin: true,`
feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519) 2024-03-15 01:30:56 +09:00			`kind: 'write:admin:sso',`

			`errors: {`
			`noSuchSingleSignOnServiceProvider: {`
			`message: 'No such SSO Service Provider',`
			`code: 'NO_SUCH_SSO_SP',`
			`id: '2f481db0-23f5-4380-8cb8-704169ffb25b',`
			`},`
			`},`
			`} as const;`

			`export const paramDef = {`
			`type: 'object',`
			`properties: {`
fix(SSO): MisskeyIO#519 の一部API・データのフォーマットの問題を修正 (MisskeyIO#520) 2024-03-15 04:29:10 +09:00			`id: { type: 'string', nullable: false },`
			`name: { type: 'string', nullable: true },`
			`issuer: { type: 'string', nullable: false },`
feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519) 2024-03-15 01:30:56 +09:00			`audience: { type: 'array', items: { type: 'string', nullable: false } },`
enhance(SSO): SAML認証でHTTP-POSTバインディングに対応 (MisskeyIO#531) 2024-03-17 20:58:53 +09:00			`binding: { type: 'string', enum: ['post', 'redirect'], nullable: false },`
fix(SSO): MisskeyIO#519 の一部API・データのフォーマットの問題を修正 (MisskeyIO#520) 2024-03-15 04:29:10 +09:00			`acsUrl: { type: 'string', nullable: false },`
			`signatureAlgorithm: { type: 'string', nullable: false },`
			`cipherAlgorithm: { type: 'string', nullable: true },`
			`wantAuthnRequestsSigned: { type: 'boolean', nullable: false },`
			`wantAssertionsSigned: { type: 'boolean', nullable: false },`
			`regenerateCertificate: { type: 'boolean', nullable: true },`
			`secret: { type: 'string', nullable: true },`
feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519) 2024-03-15 01:30:56 +09:00			`},`
			`required: ['id'],`
			`} as const;`

			`@Injectable()`
			`export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export`
			`constructor(`
			`@Inject(DI.singleSignOnServiceProviderRepository)`
			`private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,`

			`private moderationLogService: ModerationLogService,`
			`) {`
			`super(meta, paramDef, async (ps, me) => {`
			`const service = await this.singleSignOnServiceProviderRepository.findOneBy({ id: ps.id });`

			`if (service == null) throw new ApiError(meta.errors.noSuchSingleSignOnServiceProvider);`

			`const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;`
			`const { publicKey, privateKey } = ps.regenerateCertificate`
			`? await jose.generateKeyPair(alg).then(async keypair => ({`
			`publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),`
			`privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),`
			`}))`
			`: { publicKey: ps.secret ?? undefined, privateKey: undefined };`

			`await this.singleSignOnServiceProviderRepository.update(service.id, {`
			`name: ps.name !== '' ? ps.name : null,`
			`issuer: ps.issuer,`
fix(SSO): SAML認証が正常に動作しない問題を修正 (MisskeyIO#525) 2024-03-16 09:01:03 +09:00			`audience: ps.audience?.filter(i => i.length > 0),`
enhance(SSO): SAML認証でHTTP-POSTバインディングに対応 (MisskeyIO#531) 2024-03-17 20:58:53 +09:00			`binding: ps.binding,`
feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519) 2024-03-15 01:30:56 +09:00			`acsUrl: ps.acsUrl,`
			`publicKey: publicKey,`
			`privateKey: privateKey,`
			`signatureAlgorithm: ps.signatureAlgorithm,`
			`cipherAlgorithm: ps.cipherAlgorithm !== '' ? ps.cipherAlgorithm : null,`
			`wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,`
			`wantAssertionsSigned: ps.wantAssertionsSigned,`
			`});`

			`const updatedService = await this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: service.id });`

			`this.moderationLogService.log(me, 'updateSSOServiceProvider', {`
			`serviceId: service.id,`
			`before: service,`
			`after: updatedService,`
			`});`
			`});`
			`}`
			`}`