import { Request, Response } from 'express';
import { PartialOIDCConfig } from './oidc/types';
import { WithConfig } from './app';
import { LoginRateLimiter } from './login-rate-limiter';
import { ICallback } from './types';
export interface WithSecurityStrategy {
    securityStrategy: SecurityStrategy;
}
export interface LoginStatusResponse {
    status: string;
    readOnlyAccess?: boolean;
    authenticationRequired?: boolean;
    allowNewUserRegistration?: boolean;
    allowDeviceAccessRequests?: boolean;
    userLevel?: any;
    username?: string;
}
export interface ACL {
    context: string;
    resources: Array<{
        paths?: string[];
        sources?: string[];
        permissions: Array<{
            subject: string;
            permission: string;
        }>;
    }>;
}
export interface OIDCUserIdentifier {
    sub: string;
    issuer: string;
    /** User's email from OIDC claims */
    email?: string;
    /** User's display name from OIDC claims */
    name?: string;
    /** User's groups from OIDC claims (used for permission mapping) */
    groups?: string[];
}
export declare function isOIDCUserIdentifier(value: unknown): value is OIDCUserIdentifier;
export interface User {
    username: string;
    type: string;
    password?: string;
    oidc?: OIDCUserIdentifier;
}
export interface UserData {
    userId: string;
    type: string;
}
export interface UserDataUpdate {
    type?: string;
    password?: string;
}
export interface UserWithPassword {
    userId: string;
    type: string;
    password: string;
}
export interface Device {
    clientId: string;
    permissions: string;
    config: any;
    description: string;
    requestedPermissions: string;
    tokenExpiry?: number;
}
export interface DeviceDataUpdate {
    permissions?: string;
    description?: string;
}
export interface OIDCSecurityConfig {
    enabled: boolean;
    issuer: string;
    clientId: string;
    clientSecret: string;
    redirectUri?: string;
    scope?: string;
    defaultPermission?: 'readonly' | 'readwrite' | 'admin';
    autoCreateUsers?: boolean;
}
export interface SecurityConfig {
    immutableConfig: boolean;
    allow_readonly: boolean;
    allowNewUserRegistration: boolean;
    allowDeviceAccessRequests: boolean;
    allowedCorsOrigins?: string;
    expiration: string;
    devices: Device[];
    secretKey: string;
    users: User[];
    acls?: ACL[];
    oidc?: OIDCSecurityConfig;
}
export interface RequestStatusData {
    expiration: string;
    permissions: any;
    config: any;
}
export interface SecurityStrategy {
    isDummy: () => boolean;
    allowReadOnly: () => boolean;
    shouldFilterDeltas: () => boolean;
    filterReadDelta: (user: any, delta: any) => any;
    configFromArguments: boolean;
    securityConfig: any;
    requestAccess: (config: any, request: any, ip: any, updateCb?: any) => any;
    getConfiguration: () => any;
    setAccessRequestStatus: (theConfig: SecurityConfig, identifier: string, status: string, body: RequestStatusData, cb: ICallback<SecurityConfig>) => void;
    getAccessRequestsResponse: any;
    getLoginStatus: (req: Request) => LoginStatusResponse;
    allowRestart: (req: Request) => boolean;
    allowConfigure: (req: Request) => boolean;
    getConfig: (ss: SecurityConfig) => Omit<SecurityConfig, 'secretKey' | 'users'>;
    setConfig: (prev: SecurityConfig, next: SecurityConfig) => SecurityConfig;
    validateConfiguration: (config: any) => void;
    getDevices: (theConfig: SecurityConfig) => Device[];
    updateDevice: (theConfig: SecurityConfig, clientId: string, updates: DeviceDataUpdate, cb: ICallback<SecurityConfig>) => void;
    deleteDevice: (theConfig: SecurityConfig, clientId: string, cb: ICallback<SecurityConfig>) => void;
    generateToken: (req: Request, res: Response, next: any, id: string, expiration: string) => void;
    getUsers: (theConfig: SecurityConfig) => UserData[];
    addUser: (theConfig: SecurityConfig, user: User, cb: ICallback<SecurityConfig>) => void;
    updateUser: (theConfig: SecurityConfig, username: string, userDataUpdate: UserDataUpdate, cb: ICallback<SecurityConfig>) => void;
    deleteUser: (theConfig: SecurityConfig, username: string, cb: ICallback<SecurityConfig>) => void;
    setPassword: (theConfig: SecurityConfig, username: string, password: string, cb: ICallback<SecurityConfig>) => void;
    shouldAllowPut: (req: Request, context: string, source: any, path: string) => boolean;
    addAdminMiddleware: (path: string) => void;
    addAdminWriteMiddleware: (path: string) => void;
    addWriteMiddleware: (path: string) => void;
    /** Update OIDC config in memory (optional - only available when token security is active) */
    updateOIDCConfig?: (newOidcConfig: PartialOIDCConfig) => void;
    /** Verify credentials (optional - only available when token security is active) */
    login?: (username: string, password: string) => Promise<{
        statusCode: number;
    }>;
    /** Shared login rate limiter (optional - only available when token security is active) */
    loginRateLimiter?: LoginRateLimiter;
}
export declare class InvalidTokenError extends Error {
    constructor(...args: any[]);
}
export declare function startSecurity(app: WithSecurityStrategy & WithConfig, securityConfig: any): void;
export declare function getSecurityConfig(app: WithConfig & WithSecurityStrategy, forceRead?: boolean): any;
export declare function pathForSecurityConfig(app: WithConfig): string;
export declare function saveSecurityConfig(app: WithSecurityStrategy & WithConfig, data: any, callback: any): void;
export declare function getCertificateOptions(app: WithConfig, cb: any): void;
export declare function getCAChainArray(filename: string): string[];
export declare function createCertificateOptions(app: WithConfig, certFile: string, keyFile: string, cb: any): void;
export declare function requestAccess(app: WithSecurityStrategy & WithConfig, request: any, ip: any, updateCb: any): any;
export type SecurityConfigSaver = (app: any, securityConfig: any, cb: (err: any) => void) => void;
export type SecurityConfigGetter = (app: any) => any;
/**
 * When Express trust proxy is enabled:
 * - req.ip will reflect the client IP and we don't want rateLimit to
 *   validate the presence of x-forwarded-for.
 * - trustProxy: false prevents ERR_ERL_PERMISSIVE_TRUST_PROXY warnings
 */
export declare function getRateLimitValidationOptions(app: WithConfig): {
    xForwardedForHeader: boolean;
    trustProxy: boolean;
} | undefined;
//# sourceMappingURL=security.d.ts.map