import { Observable } from 'rxjs'; import { AjaxError, AjaxRequest } from 'rxjs/ajax'; import { CimStreamOptions, CimStreamResponse } from '../data/cim-stream'; import { HttpStatusCode } from '../data/http-constants'; import { PowerShellStreamResponse } from '../data/powershell-stream'; import { RpcForwardResponse } from '../rpc/forward/rpc-forward-model'; import { Rpc } from '../rpc/rpc'; import { RpcRelationshipType } from '../rpc/rpc-base'; import { RpcServiceForwarder } from '../rpc/rpc-forwarder'; import { SignedHttpRequestToken, SignOnManager, SignOnTokenResponse } from './sign-on-manager'; /** * Defines the response from an Authorization Handler */ export interface AuthorizationCredentials { username: string; password: string; applyToAllNodes?: boolean; useLaps?: boolean; lapsLocalAdminName?: string; } /** * Defines the response the AuthorizationManager returns from getToken */ export interface AuthorizationTokenResponse { token: AuthorizationToken; appliesTo?: string | string[]; } /** * Defines an authorizationToken */ export interface AuthorizationToken { value: string; username: string; useLaps: boolean; lapsLocalAdminName: string; } /** * The create authorization token options */ export interface CreateAuthorizationTokenOptions { password?: string; username?: string; useLaps?: boolean; lapsLocalAdminName?: string; } /** * The extra error data of original cause. */ export interface NodeAuthorizationErrorData { statusCode: HttpStatusCode; errorCode: string; errorMessage: string; } /** * Defines a handler that takes a nodeName and returns authorization credentials */ export declare type NodeAuthorizationHandler = (nodeName?: string | string[], errorData?: NodeAuthorizationErrorData) => Observable; /** * Defines properties that will be provided to child instances on a forward init request */ export interface AuthorizationManagerInitProperties { manageAsToken: AuthorizationToken; nodeTokens: MsftSme.StringMap; nodePowershellEndpoints: MsftSme.StringMap; signOnToken: SignedHttpRequestToken; } /** * Authorization Manager class. Handles SME authentication for service requests. */ export declare class AuthorizationManager extends RpcServiceForwarder { private authorize; /** * Cache key for session storage of authorization cache */ private static cacheKey; /** * If no laps local admin name is defined, it will default to 'administrator' */ static defaultLapsLocalAdminName: string; private static rpcCommands; /** * Create a map of nodeNames to token objects to hold node specific tokens. */ nodeTokens: MsftSme.StringMap; /** * The sign on operation manager. */ signOnManager: SignOnManager; /** * The backing store fro the manageAsToken */ private token; /** * The JSON Web Key. Single string with JSON.stringify format. */ private jwk; /** * Credentials expiration time, used to determine the lifetime of new tokens. Value in milliseconds. */ private credentialsExpirationTimeInMs; /** * Underlying implementation subject for credentialExpiration observable */ private credentialExpirationChangedSubject; /** * Observable that emits whenever the credentials expiration has changed */ credentialExpirationChanged: Observable; /** * Set the admin configured expiration time in milliseconds * If this is not set it will be defaulted to 365 days. */ set authExpirationInMs(expirationTimeInMs: number); /** * The logon user returned by gateway's api/user */ private logOnUser; /** * Sets logon user and caches the value */ set shellLogOnUser(username: string); /** * The mapping of connections to PowershellEndpoints */ private nodePowershellEndpoints; /** * The token awaiter subject. */ private tokenAwaiter; /** * The subject observable of sign on token awaiter. */ private signOnTokenAwaiter; /** * Sets the current manage as token * If running with an Rpc child, notify of the change */ set manageAsToken(token: AuthorizationToken); /** * Gets the current manage as token */ get manageAsToken(): AuthorizationToken; /** * Sets the gateway encryption certificate JWK. * If this is not set by Shell/Add-Connection, it will send clear text password. */ set gatewayJwk(jwk: string); /** * Observable that emits whenever the gateways Jwk has changed */ readonly gatewayJwkChanged: Observable; /** * Underlying implementation subject for gatewayJwkChanged observable */ private gatewayJwkChangedSubject; /** * Gets the gateway encryption certificate JWK. */ get gatewayJwk(): string; /** * Gets an observable the emits when the authorization token is ready */ get authAwaiter(): Observable; /** * Initializes a new instance of the Authorization Manager class * @param authorize An AuthorizationHandler with which to retrieve user credentials * @param rpc The rpc to forward auth requests to a parent window */ constructor(authorize: NodeAuthorizationHandler, rpc: Rpc); /** * defines the conditions under which the AuthorizationManager can handle an ajax error */ canHandleAjaxFailure(code: HttpStatusCode, error: AjaxError): boolean; /** * When canHandle returns true for an ajax error, this method can be called to handle that error. */ handleAjaxFailure(code: HttpStatusCode, request: AjaxRequest, error: AjaxError, nodeName?: string): Observable; /** * Check if it can handle the error. * * @param response the response of CIM stream query. */ canHandleStreamFailure(response: CimStreamResponse): boolean; /** * When canHandle returns true for an ajax error, this method can be called to handle that error. */ handleStreamFailure(nodeName: string, options: CimStreamOptions, response: CimStreamResponse | PowerShellStreamResponse): Observable; saveJeaContext(nodeName: string, endpoint: string): void; getJeaEndpoint(nodeName: string): string; /** * Associates a node to use a specified JEA endpoint */ setJeaEndpoint(nodeName: string, endpoint: string): void; /** * Calls the authorize method and gets a new token. * If running as a child, the token comes from the parent windows service */ getNewToken(nodeName: string): Observable; getNewToken(nodeNames: string[]): Observable; getNewToken(nodeName: string, errorData: NodeAuthorizationErrorData): Observable; getNewToken(nodeNames: string[], errorData: NodeAuthorizationErrorData): Observable; refreshSignOnToken(): Observable; /** * Forward Sign On Token to child frame. */ forwardSignOnToken(): void; /** * @deprecated use createSecureToken() after configured gatewayJwk property. * * Creates a token from the given options that may be used for node authentication * @param options The token creation options */ createToken(options: CreateAuthorizationTokenOptions, passwordEncryptedWith?: string): AuthorizationToken; /** * Creates a secure token from the given options that may be used for node authentication * * @param options The token creation options */ createSecureToken(options: CreateAuthorizationTokenOptions): Observable; /** * Get the saved Auth token for a node. * * @param nodeName The nodeName to get token for. */ getSavedNodeToken(nodeName: string): AuthorizationToken; /** * Sets a token on the given nodes * @param token The token to use for the given nodes * @param nodeName The names of the nodes to set the token for. If empty or null, the token will be used as the global manageAs token * @returns an Observable indicating that the token has been set. */ setNodeTokens(token: AuthorizationToken, nodeNames?: string[]): Observable; /** * Adds a authorization header to a request given a node with a manageAsToken * @param request The request to add headers to * @param nodeName optional. The node to add headers for if not provided, the global token will be used * @param token optional. The token to use for the headers. if provided, the nodeName is not used. */ addAuthorizationRequestHeader(request: AjaxRequest, nodeName?: string, token?: AuthorizationToken): void; /** * Create token headers. * * @param nodeName the node name. * @param token the token to override current setting (optional). */ createTokenHeaders(nodeName: string, token?: AuthorizationToken): MsftSme.StringMap; /** * Adds a authorization header to a request given a node with a manageAsToken */ addAuthorizationTokensToMultiPartBody(body: string[], nodeName?: string, token?: AuthorizationToken): void; resetAllTokens(): void; /** * Encrypts a string value using the jwk from the gateway */ encrypt(value: string): Observable; /** * Called on a child service instance when onForwardInit returns from the parent * @param data The response from the forwardInit call */ protected onForwardInitResponse(data: RpcForwardResponse): void; /** * Called when a new instance of the service in another window is initialized and needs to synchronize with its parent * @param from The RpcRelationshipType that this request is from * @returns an observable for the all the values needed to initialize the service */ protected onForwardInit(): Observable; /** * Called when the forwarded services counterpart wants to get data from the parent * @param from The RpcRelationshipType that this request is from * @param name The name of the method to forward to * @param args The arguments of the method * @returns an observable for the result of the method call */ protected onForwardExecute(from: RpcRelationshipType, name: string, args: any[]): Observable; /** * Called when the forwarded services counterpart sends a notify message * @param from The RpcRelationshipType that this request is from * @param name The name of the property to change * @param value The new value of the property * @returns an observable that completes when the property has been changed. */ protected onForwardNotify(from: RpcRelationshipType, name: string, value: any): Observable; /** * Creates a secure token from the given options that may be used for node authentication * * @param options The token creation options */ private secureToken; /** * Completes the token awaiter */ private completeTokenAwaiter; /** * Completes the sign on token awaiter */ private completeSignOnTokenAwaiter; /** * Gets the error data. * @param code the http status code. * @param error the AJAX error object. */ private getErrorData; /** * Updates the authorization cache. Does nothing if we are not running in shell */ private updateCache; }