feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519)

2024-03-15 01:30:56 +09:00 · 2024-03-15 01:30:56 +09:00 · 8c1db331e7
commit 8c1db331e7
parent d300a6829f
45 changed files with 4094 additions and 1725 deletions
--- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts
+++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
@ -928,6 +928,50 @@ declare module '../api.js' {
      credential?: string | null,
    ): Promise<SwitchCaseResponseType<E, P>>;

+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    request<E extends 'admin/sso/create', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    request<E extends 'admin/sso/delete', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *read:admin:sso*
+     */
+    request<E extends 'admin/sso/list', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    request<E extends 'admin/sso/update', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
    /**
     * No description provided.
     * 
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@ -111,6 +111,12 @@ import type {
 	AdminRolesUpdateDefaultPoliciesRequest,
 	AdminRolesUsersRequest,
 	AdminRolesUsersResponse,
+	AdminSsoCreateRequest,
+	AdminSsoCreateResponse,
+	AdminSsoDeleteRequest,
+	AdminSsoListRequest,
+	AdminSsoListResponse,
+	AdminSsoUpdateRequest,
 	AnnouncementsRequest,
 	AnnouncementsResponse,
 	AntennasCreateRequest,
@ -653,6 +659,10 @@ export type Endpoints = {
 	'admin/roles/unassign': { req: AdminRolesUnassignRequest; res: EmptyResponse };
 	'admin/roles/update-default-policies': { req: AdminRolesUpdateDefaultPoliciesRequest; res: EmptyResponse };
 	'admin/roles/users': { req: AdminRolesUsersRequest; res: AdminRolesUsersResponse };
+	'admin/sso/create': { req: AdminSsoCreateRequest; res: AdminSsoCreateResponse };
+	'admin/sso/delete': { req: AdminSsoDeleteRequest; res: EmptyResponse };
+	'admin/sso/list': { req: AdminSsoListRequest; res: AdminSsoListResponse };
+	'admin/sso/update': { req: AdminSsoUpdateRequest; res: EmptyResponse };
 	'announcements': { req: AnnouncementsRequest; res: AnnouncementsResponse };
 	'antennas/create': { req: AntennasCreateRequest; res: AntennasCreateResponse };
 	'antennas/delete': { req: AntennasDeleteRequest; res: EmptyResponse };
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@ -113,6 +113,12 @@ export type AdminRolesUnassignRequest = operations['admin/roles/unassign']['requ
 export type AdminRolesUpdateDefaultPoliciesRequest = operations['admin/roles/update-default-policies']['requestBody']['content']['application/json'];
 export type AdminRolesUsersRequest = operations['admin/roles/users']['requestBody']['content']['application/json'];
 export type AdminRolesUsersResponse = operations['admin/roles/users']['responses']['200']['content']['application/json'];
+export type AdminSsoCreateRequest = operations['admin/sso/create']['requestBody']['content']['application/json'];
+export type AdminSsoCreateResponse = operations['admin/sso/create']['responses']['200']['content']['application/json'];
+export type AdminSsoDeleteRequest = operations['admin/sso/delete']['requestBody']['content']['application/json'];
+export type AdminSsoListRequest = operations['admin/sso/list']['requestBody']['content']['application/json'];
+export type AdminSsoListResponse = operations['admin/sso/list']['responses']['200']['content']['application/json'];
+export type AdminSsoUpdateRequest = operations['admin/sso/update']['requestBody']['content']['application/json'];
 export type AnnouncementsRequest = operations['announcements']['requestBody']['content']['application/json'];
 export type AnnouncementsResponse = operations['announcements']['responses']['200']['content']['application/json'];
 export type AntennasCreateRequest = operations['antennas/create']['requestBody']['content']['application/json'];
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@ -769,6 +769,42 @@ export type paths = {
     */
    post: operations['admin/roles/users'];
  };
+  '/admin/sso/create': {
+    /**
+     * admin/sso/create
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    post: operations['admin/sso/create'];
+  };
+  '/admin/sso/delete': {
+    /**
+     * admin/sso/delete
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    post: operations['admin/sso/delete'];
+  };
+  '/admin/sso/list': {
+    /**
+     * admin/sso/list
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *read:admin:sso*
+     */
+    post: operations['admin/sso/list'];
+  };
+  '/admin/sso/update': {
+    /**
+     * admin/sso/update
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+     */
+    post: operations['admin/sso/update'];
+  };
  '/announcements': {
    /**
     * announcements
@ -10287,6 +10323,272 @@ export type operations = {
      };
    };
  };
+  /**
+   * admin/sso/create
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+   */
+  'admin/sso/create': {
+    requestBody: {
+      content: {
+        'application/json': {
+          name?: string | null;
+          /** @enum {string} */
+          type: 'saml' | 'jwt';
+          issuer: string;
+          /** @default [] */
+          audience?: string[];
+          acsUrl: string;
+          signatureAlgorithm: string;
+          cipherAlgorithm?: string | null;
+          /** @default false */
+          wantAuthnRequestsSigned?: boolean;
+          /** @default true */
+          wantAssertionsSigned?: boolean;
+          /** @default true */
+          useCertificate: boolean;
+          secret?: string | null;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (with results) */
+      200: {
+        content: {
+          'application/json': {
+            id: string;
+            /** Format: date-time */
+            createdAt: string;
+            name: string | null;
+            /** @enum {string} */
+            type: 'saml' | 'jwt';
+            issuer: string;
+            audience: string[];
+            acsUrl: string;
+            publicKey: string;
+            signatureAlgorithm: string;
+            cipherAlgorithm?: string | null;
+            wantAuthnRequestsSigned: boolean;
+            wantAssertionsSigned: boolean;
+          };
+        };
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * admin/sso/delete
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+   */
+  'admin/sso/delete': {
+    requestBody: {
+      content: {
+        'application/json': {
+          id: string;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * admin/sso/list
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *read:admin:sso*
+   */
+  'admin/sso/list': {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** @default 10 */
+          limit?: number;
+          /** @default 0 */
+          offset?: number;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (with results) */
+      200: {
+        content: {
+          'application/json': ({
+              id: string;
+              /** Format: date-time */
+              createdAt: string;
+              name: string | null;
+              /** @enum {string} */
+              type: 'saml' | 'jwt';
+              issuer: string;
+              audience: string[];
+              acsUrl: string;
+              publicKey: string;
+              signatureAlgorithm: string;
+              cipherAlgorithm?: string | null;
+              wantAuthnRequestsSigned: boolean;
+              wantAssertionsSigned: boolean;
+            })[];
+        };
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * admin/sso/update
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:admin:sso*
+   */
+  'admin/sso/update': {
+    requestBody: {
+      content: {
+        'application/json': {
+          id: string;
+          name?: string;
+          issuer?: string;
+          audience?: string[];
+          acsUrl?: string;
+          signatureAlgorithm?: string;
+          cipherAlgorithm?: string;
+          wantAuthnRequestsSigned?: boolean;
+          wantAssertionsSigned?: boolean;
+          regenerateCertificate?: boolean;
+          secret?: string;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
  /**
   * announcements
   * @description No description provided.
--- a/packages/misskey-js/src/consts.ts
+++ b/packages/misskey-js/src/consts.ts
@ -89,6 +89,8 @@ export const permissions = [
 	'write:admin:promo',
 	'write:admin:drive',
 	'read:admin:drive',
+	'write:admin:sso',
+	'read:admin:sso',
 	'write:admin:ad',
 	'read:admin:ad',
 	'write:invite-codes',
@ -136,6 +138,9 @@ export const moderationLogTypes = [
 	'createIndieAuthClient',
 	'updateIndieAuthClient',
 	'deleteIndieAuthClient',
+	'createSSOServiceProvider',
+	'updateSSOServiceProvider',
+	'deleteSSOServiceProvider',
 	'createAvatarDecoration',
 	'updateAvatarDecoration',
 	'deleteAvatarDecoration',
@ -321,6 +326,19 @@ export type ModerationLogPayloads = {
 		clientId: string;
 		client: any;
 	};
+	createSSOServiceProvider: {
+		serviceId: string;
+		service: any;
+	};
+	updateSSOServiceProvider: {
+		serviceId: string;
+		before: any;
+		after: any;
+	};
+	deleteSSOServiceProvider: {
+		serviceId: string;
+		service: any;
+	};
 	createAvatarDecoration: {
 		avatarDecorationId: string;
 		avatarDecoration: any;