88 lines
3.2 KiB
TypeScript
88 lines
3.2 KiB
TypeScript
import * as jose from 'jose';
|
|
import { Inject, Injectable } from '@nestjs/common';
|
|
import type { SingleSignOnServiceProviderRepository } from '@/models/_.js';
|
|
import { DI } from '@/di-symbols.js';
|
|
import { Endpoint } from '@/server/api/endpoint-base.js';
|
|
import { ModerationLogService } from '@/core/ModerationLogService.js';
|
|
import { ApiError } from '../../../error.js';
|
|
|
|
export const meta = {
|
|
tags: ['admin'],
|
|
|
|
requireCredential: true,
|
|
requireAdmin: true,
|
|
kind: 'write:admin:sso',
|
|
|
|
errors: {
|
|
noSuchSingleSignOnServiceProvider: {
|
|
message: 'No such SSO Service Provider',
|
|
code: 'NO_SUCH_SSO_SP',
|
|
id: '2f481db0-23f5-4380-8cb8-704169ffb25b',
|
|
},
|
|
},
|
|
} as const;
|
|
|
|
export const paramDef = {
|
|
type: 'object',
|
|
properties: {
|
|
id: { type: 'string', nullable: false },
|
|
name: { type: 'string', nullable: true },
|
|
issuer: { type: 'string', nullable: false },
|
|
audience: { type: 'array', items: { type: 'string', nullable: false } },
|
|
binding: { type: 'string', enum: ['post', 'redirect'], nullable: false },
|
|
acsUrl: { type: 'string', nullable: false },
|
|
signatureAlgorithm: { type: 'string', nullable: false },
|
|
cipherAlgorithm: { type: 'string', nullable: true },
|
|
wantAuthnRequestsSigned: { type: 'boolean', nullable: false },
|
|
wantAssertionsSigned: { type: 'boolean', nullable: false },
|
|
regenerateCertificate: { type: 'boolean', nullable: true },
|
|
secret: { type: 'string', nullable: true },
|
|
},
|
|
required: ['id'],
|
|
} as const;
|
|
|
|
@Injectable()
|
|
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
|
|
constructor(
|
|
@Inject(DI.singleSignOnServiceProviderRepository)
|
|
private singleSignOnServiceProviderRepository: SingleSignOnServiceProviderRepository,
|
|
|
|
private moderationLogService: ModerationLogService,
|
|
) {
|
|
super(meta, paramDef, async (ps, me) => {
|
|
const service = await this.singleSignOnServiceProviderRepository.findOneBy({ id: ps.id });
|
|
|
|
if (service == null) throw new ApiError(meta.errors.noSuchSingleSignOnServiceProvider);
|
|
|
|
const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;
|
|
const { publicKey, privateKey } = ps.regenerateCertificate
|
|
? await jose.generateKeyPair(alg).then(async keypair => ({
|
|
publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
|
|
privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
|
|
}))
|
|
: { publicKey: ps.secret ?? undefined, privateKey: undefined };
|
|
|
|
await this.singleSignOnServiceProviderRepository.update(service.id, {
|
|
name: ps.name !== '' ? ps.name : null,
|
|
issuer: ps.issuer,
|
|
audience: ps.audience?.filter(i => i.length > 0),
|
|
binding: ps.binding,
|
|
acsUrl: ps.acsUrl,
|
|
publicKey: publicKey,
|
|
privateKey: privateKey,
|
|
signatureAlgorithm: ps.signatureAlgorithm,
|
|
cipherAlgorithm: ps.cipherAlgorithm !== '' ? ps.cipherAlgorithm : null,
|
|
wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
|
|
wantAssertionsSigned: ps.wantAssertionsSigned,
|
|
});
|
|
|
|
const updatedService = await this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: service.id });
|
|
|
|
this.moderationLogService.log(me, 'updateSSOServiceProvider', {
|
|
serviceId: service.id,
|
|
before: service,
|
|
after: updatedService,
|
|
});
|
|
});
|
|
}
|
|
}
|