Merge branch 'IMN-522_client-assertion-validation' into IMN_799-purpo…

…se-platformstate-writer-scaffold

docker/docker-compose.yml

@@ -94,7 +94,7 @@ services:
 
   dynamodb-admin:
     image: "aaronshaf/dynamodb-admin"
-    container_name: dynamodb-admin
+    container_name: dynamodb-admin_token-generation-readmodel
     depends_on:
       - token-generation-readmodel
     restart: always

packages/catalog-platformstate-writer/.env

@@ -6,11 +6,7 @@ KAFKA_BROKERS="localhost:9092"
 KAFKA_DISABLE_AWS_IAM_AUTH="true"
 CATALOG_TOPIC="event-store.catalog.events"
 AWS_CONFIG_FILE=aws.config.local
-TOKEN_GENERATION_READMODEL_HOST="localhost"
-TOKEN_GENERATION_READMODEL_PORT=8085
 TOKEN_GENERATION_READMODEL_TABLE_NAME_PLATFORM="platform-states"
 TOKEN_GENERATION_READMODEL_TABLE_NAME_TOKEN_GENERATION="token-generation-states"
 
 AWS_REGION="eu-south-1"
-AWS_ACCESS_KEY_ID="key"
-AWS_SECRET_ACCESS_KEY="secret"

packages/catalog-platformstate-writer/aws.config.local

@@ -2,3 +2,8 @@
 aws_access_key_id=key
 aws_secret_access_key=secret
 region=eu-south-1
+services=local
+
+[services local]
+dynamodb= 
+  endpoint_url=http://localhost:8085

packages/catalog-platformstate-writer/src/index.ts

@@ -8,14 +8,7 @@ import { handleMessageV1 } from "./consumerServiceV1.js";
 import { handleMessageV2 } from "./consumerServiceV2.js";
 import { config } from "./config/config.js";
 
-const dynamoDBClient = new DynamoDBClient({
-  credentials: {
-    accessKeyId: config.awsAccessKeyId,
-    secretAccessKey: config.awsSecretAccessKey,
-  },
-  region: config.awsRegion,
-  endpoint: `http://${config.tokenGenerationReadModelDbHost}:${config.tokenGenerationReadModelDbPort}`,
-});
+const dynamoDBClient = new DynamoDBClient();
 
 async function processMessage({
   message,

packages/catalog-platformstate-writer/src/utils.ts

@@ -148,8 +148,9 @@ export const updateDescriptorStateInPlatformStatesEntry = async (
   await dynamoDBClient.send(command);
 };
 
-export const readTokenStateEntriesByEserviceIdAndDescriptorId = async (
+export const updateDescriptorStateInTokenGenerationStatesTable = async (
   eserviceId_descriptorId: GSIPKEServiceIdDescriptorId,
+  descriptorState: ItemState,
   dynamoDBClient: DynamoDBClient
 ): Promise<TokenGenerationStatesClientPurposeEntry[]> => {
   const runPaginatedQuery = async (
@@ -188,6 +189,12 @@ export const readTokenStateEntriesByEserviceIdAndDescriptorId = async (
         );
       }
 
+      await updateDescriptorStateEntriesInTokenGenerationStatesTable(
+        descriptorState,
+        dynamoDBClient,
+        tokenStateEntries.data
+      );
+
       if (!data.LastEvaluatedKey) {
         return tokenStateEntries.data;
       } else {
@@ -210,17 +217,11 @@ export const readTokenStateEntriesByEserviceIdAndDescriptorId = async (
   );
 };
 
-export const updateDescriptorStateInTokenGenerationStatesTable = async (
-  eserviceId_descriptorId: GSIPKEServiceIdDescriptorId,
+const updateDescriptorStateEntriesInTokenGenerationStatesTable = async (
   descriptorState: ItemState,
-  dynamoDBClient: DynamoDBClient
+  dynamoDBClient: DynamoDBClient,
+  entriesToUpdate: TokenGenerationStatesClientPurposeEntry[]
 ): Promise<void> => {
-  const entriesToUpdate =
-    await readTokenStateEntriesByEserviceIdAndDescriptorId(
-      eserviceId_descriptorId,
-      dynamoDBClient
-    );
-
   for (const entry of entriesToUpdate) {
     const input: UpdateItemInput = {
       ConditionExpression: "attribute_exists(GSIPK_eserviceId_descriptorId)",

packages/catalog-platformstate-writer/test/consumerServiceV1.test.ts

@@ -32,24 +32,19 @@ import {
   getMockTokenStatesClientPurposeEntry,
   buildDynamoDBTables,
   deleteDynamoDBTables,
+  readTokenStateEntriesByEserviceIdAndDescriptorId,
 } from "pagopa-interop-commons-test";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { writeTokenStateEntry } from "pagopa-interop-commons-test";
 import { handleMessageV1 } from "../src/consumerServiceV1.js";
-import {
-  readCatalogEntry,
-  readTokenStateEntriesByEserviceIdAndDescriptorId,
-  writeCatalogEntry,
-} from "../src/utils.js";
-import { config, sleep, writeTokenStateEntry } from "./utils.js";
-
+import { readCatalogEntry, writeCatalogEntry } from "../src/utils.js";
+import { config, sleep } from "./utils.js";
 describe("V1 events", async () => {
   if (!config) {
     fail();
   }
   const dynamoDBClient = new DynamoDBClient({
-    credentials: { accessKeyId: "key", secretAccessKey: "secret" },
-    region: "eu-central-1",
-    endpoint: `http://${config.tokenGenerationReadModelDbHost}:${config.tokenGenerationReadModelDbPort}`,
+    endpoint: `http://localhost:${config.tokenGenerationReadModelDbPort}`,
   });
   beforeEach(async () => {
     await buildDynamoDBTables(dynamoDBClient);

packages/catalog-platformstate-writer/test/consumerServiceV2.test.ts

@@ -36,23 +36,19 @@ import {
   getMockTokenStatesClientPurposeEntry,
   buildDynamoDBTables,
   deleteDynamoDBTables,
-} from "pagopa-interop-commons-test";
-import {
-  readCatalogEntry,
   readTokenStateEntriesByEserviceIdAndDescriptorId,
-  writeCatalogEntry,
-} from "../src/utils.js";
+  writeTokenStateEntry,
+} from "pagopa-interop-commons-test";
+import { readCatalogEntry, writeCatalogEntry } from "../src/utils.js";
 import { handleMessageV2 } from "../src/consumerServiceV2.js";
-import { config, sleep, writeTokenStateEntry } from "./utils.js";
+import { config, sleep } from "./utils.js";
 
 describe("integration tests V2 events", async () => {
   if (!config) {
     fail();
   }
   const dynamoDBClient = new DynamoDBClient({
-    credentials: { accessKeyId: "key", secretAccessKey: "secret" },
-    region: "eu-south-1",
-    endpoint: `http://${config.tokenGenerationReadModelDbHost}:${config.tokenGenerationReadModelDbPort}`,
+    endpoint: `http://localhost:${config.tokenGenerationReadModelDbPort}`,
   });
   beforeEach(async () => {
     await buildDynamoDBTables(dynamoDBClient);

packages/catalog-platformstate-writer/test/utils.test.ts

@@ -28,21 +28,19 @@ import {
   getMockTokenStatesClientPurposeEntry,
   buildDynamoDBTables,
   deleteDynamoDBTables,
+  readTokenStateEntriesByEserviceIdAndDescriptorId,
+  readAllTokenStateItems,
+  writeTokenStateEntry,
 } from "pagopa-interop-commons-test";
 import {
   deleteCatalogEntry,
   descriptorStateToItemState,
   readCatalogEntry,
-  readTokenStateEntriesByEserviceIdAndDescriptorId,
   updateDescriptorStateInPlatformStatesEntry,
   updateDescriptorStateInTokenGenerationStatesTable,
   writeCatalogEntry,
 } from "../src/utils.js";
-import {
-  config,
-  readAllTokenStateItems,
-  writeTokenStateEntry,
-} from "./utils.js";
+import { config } from "./utils.js";
 
 describe("utils tests", async () => {
   if (!config) {
@@ -51,11 +49,7 @@ describe("utils tests", async () => {
   const dynamoDBClient = new DynamoDBClient({
     credentials: { accessKeyId: "key", secretAccessKey: "secret" },
     region: "eu-central-1",
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    endpoint: `http://${config.tokenGenerationReadModelDbHost}:${
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      config.tokenGenerationReadModelDbPort
-    }`,
+    endpoint: `http://localhost:${config.tokenGenerationReadModelDbPort}`,
   });
   beforeEach(async () => {
     await buildDynamoDBTables(dynamoDBClient);

packages/catalog-platformstate-writer/test/utils.ts

@@ -1,21 +1,6 @@
 /* eslint-disable @typescript-eslint/no-unnecessary-type-assertion */
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
-import { fail } from "assert";
-import {
-  DynamoDBClient,
-  PutItemCommand,
-  PutItemInput,
-  ScanCommand,
-  ScanCommandOutput,
-  ScanInput,
-} from "@aws-sdk/client-dynamodb";
-import {
-  genericInternalError,
-  TokenGenerationStatesClientPurposeEntry,
-} from "pagopa-interop-models";
 import { inject, vi } from "vitest";
-import { unmarshall } from "@aws-sdk/util-dynamodb";
-import { z } from "zod";
 
 export const config = inject("tokenGenerationReadModelConfig");
 
@@ -26,110 +11,3 @@ export const sleep = (ms: number, mockDate = new Date()): Promise<void> =>
     vi.useFakeTimers();
     vi.setSystemTime(mockDate);
   });
-
-export const writeTokenStateEntry = async (
-  tokenStateEntry: TokenGenerationStatesClientPurposeEntry,
-  dynamoDBClient: DynamoDBClient
-): Promise<void> => {
-  if (!config) {
-    fail();
-  }
-  const input: PutItemInput = {
-    ConditionExpression: "attribute_not_exists(PK)",
-    Item: {
-      PK: {
-        S: tokenStateEntry.PK,
-      },
-      descriptorState: {
-        S: tokenStateEntry.descriptorState!,
-      },
-      descriptorAudience: {
-        L: tokenStateEntry.descriptorAudience
-          ? tokenStateEntry.descriptorAudience.map((item) => ({
-              S: item,
-            }))
-          : [],
-      },
-      updatedAt: {
-        S: tokenStateEntry.updatedAt,
-      },
-      consumerId: {
-        S: tokenStateEntry.consumerId,
-      },
-      agreementId: {
-        S: tokenStateEntry.agreementId!,
-      },
-      purposeVersionId: {
-        S: tokenStateEntry.purposeVersionId!,
-      },
-      GSIPK_consumerId_eserviceId: {
-        S: tokenStateEntry.GSIPK_consumerId_eserviceId!,
-      },
-      clientKind: {
-        S: tokenStateEntry.clientKind,
-      },
-      publicKey: {
-        S: tokenStateEntry.publicKey,
-      },
-      GSIPK_clientId: {
-        S: tokenStateEntry.GSIPK_clientId,
-      },
-      GSIPK_kid: {
-        S: tokenStateEntry.GSIPK_kid,
-      },
-      GSIPK_clientId_purposeId: {
-        S: tokenStateEntry.GSIPK_clientId_purposeId!,
-      },
-      agreementState: {
-        S: tokenStateEntry.agreementState!,
-      },
-      GSIPK_eserviceId_descriptorId: {
-        S: tokenStateEntry.GSIPK_eserviceId_descriptorId!,
-      },
-      GSIPK_purposeId: {
-        S: tokenStateEntry.GSIPK_purposeId!,
-      },
-      purposeState: {
-        S: tokenStateEntry.purposeState!,
-      },
-    },
-    TableName: config.tokenGenerationReadModelTableNameTokenGeneration,
-  };
-  const command = new PutItemCommand(input);
-  await dynamoDBClient.send(command);
-};
-
-export const readAllTokenStateItems = async (
-  dynamoDBClient: DynamoDBClient
-): Promise<TokenGenerationStatesClientPurposeEntry[]> => {
-  if (!config) {
-    fail();
-  }
-
-  const readInput: ScanInput = {
-    TableName: config.tokenGenerationReadModelTableNameTokenGeneration,
-  };
-  const commandQuery = new ScanCommand(readInput);
-  const data: ScanCommandOutput = await dynamoDBClient.send(commandQuery);
-
-  if (!data.Items) {
-    throw genericInternalError(
-      `Unable to read token state entries: result ${JSON.stringify(data)} `
-    );
-  } else {
-    const unmarshalledItems = data.Items.map((item) => unmarshall(item));
-
-    const tokenStateEntries = z
-      .array(TokenGenerationStatesClientPurposeEntry)
-      .safeParse(unmarshalledItems);
-
-    if (!tokenStateEntries.success) {
-      throw genericInternalError(
-        `Unable to parse token state entry item: result ${JSON.stringify(
-          tokenStateEntries
-        )} - data ${JSON.stringify(data)} `
-      );
-    }
-    return tokenStateEntries.data;
-  }
-};

packages/client-assertion-validation/src/errors.ts

@@ -102,9 +102,8 @@ export function invalidClientAssertionFormat(): ApiError<ErrorCodes> {
 export function unexpectedClientAssertionPayload(
   message: string
 ): ApiError<ErrorCodes> {
-  const extraDetails = message ? ` - ${message}` : "";
   return new ApiError({
-    detail: "Unexpected client assertion payload" + extraDetails,
+    detail: `Unexpected client assertion payload: ${message}`,
     code: "unexpectedClientAssertionPayload",
     title: "Invalid client assertion payload",
   });

packages/client-assertion-validation/test/validation.test.ts

@@ -397,7 +397,9 @@ describe("validation test", () => {
           digest: undefined,
         },
       });
-      expect(() => verifyClientAssertion(jws, undefined)).not.toThrow();
+
+      const verifiedClientAssertion = verifyClientAssertion(jws, undefined);
+      expect(verifiedClientAssertion.data?.payload.digest).toBeUndefined();
     });
 
     it("digestClaimNotFound", () => {

packages/commons-test/package.json

@@ -21,6 +21,7 @@
     "@anatine/zod-mock": "3.13.4",
     "@aws-sdk/client-dynamodb": "3.637.0",
     "@aws-sdk/client-sesv2": "3.620.1",
+    "@aws-sdk/util-dynamodb": "3.658.1",
     "@pagopa/eslint-config": "3.0.0",
     "@protobuf-ts/runtime": "2.9.4",
     "@testcontainers/postgresql": "10.9.0",

packages/commons-test/src/index.ts

@@ -7,3 +7,4 @@ export * from "./setupTestContainersVitest.js";
 export * from "./setupTestContainersVitestGlobal.js";
 export * from "./protobufConvertersToV1/catalogProtobufConverterToV1.js";
 export * from "./setupDynamoDBtables.js";
+export * from "./tokenGenerationReadmodelUtils.js";