Merge pull request #38 from espoon-voltti/user-authentication

initial user authentication

api-gateway/.dockerignore

@@ -3,3 +3,4 @@
 !src
 !*.json
 !*.lock
+!config

api-gateway/config/certificates/Pipfile

@@ -0,0 +1,13 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+black = "==20.8b1"
+
+[packages]
+cryptography = "==41.0.4"
+
+[requires]
+python_version = "3.8"

api-gateway/config/certificates/README.md

@@ -0,0 +1,41 @@
+# Trusted SAML IdP certificates
+
+Espoo AD (production):
+
+- `espooad-internal-prod.2022.pem`
+
+Espoo AD (staging):
+
+- `espooad-internal-staging.2022.pem`
+
+Voltti IDP (dev/test):
+
+- `idp.test.espoon-voltti.fi.pem`
+
+## Update list of trusted IdP certificates
+
+1. Obtain URL for IdP metadata from the provider, for example:
+    - Espoo AD production: <https://login.microsoftonline.com/6bb04228-cfa5-4213-9f39-172454d82584/federationmetadata/2007-06/federationmetadata.xml?appid=7d857df7-95fd-42f1-96e6-296c1094be09>
+    - Espoo AD staging: <https://login.microsoftonline.com/6bb04228-cfa5-4213-9f39-172454d82584/federationmetadata/2007-06/federationmetadata.xml?appid=b73067a1-1f4c-4508-94ea-51c8eeb15793>
+2. [Fetch](#fetch-saml-signing-certificates-from-metadata) certificate(s) from IdP's remote metadata
+3. Update [code](https://github.com/espoon-voltti/oppivelvollisuus/blob/master/api-gateway/src/certificates.ts) to include any new files
+4. Update apigw deployment configuration to include the name of the new certificate file(s)
+
+## Fetch SAML signing certificates from metadata
+
+Requirements:
+
+- Python 3.8 (recommended to use [pyenv](https://github.com/pyenv/pyenv))
+- [pipenv](https://pipenv.pypa.io/en/latest/install/)
+
+SAML 2.0 metadata (XML) can contain multiple entities (usually different environments) and those entities can contain
+multiple signing certificates.
+
+To fetch all signing certificate for an IdP's entity use the helper script in this directory:
+
+```sh
+# Install python dependencies
+pipenv install
+# Fetch and export the certificates from a IdP metadata URL:
+pipenv run ./fetch-idp-certs.py <metadata url> [<entity ID>]
+```

api-gateway/config/certificates/espooad-internal-prod.2022.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIC8DCCAdigAwIBAgIQeBkco+Zfx45PGkleA2Fs/TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
+EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEyMjAxMTQz
+MTBaFw0yNTEyMjAxMTQzMDZaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
+U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9vq1xWzo7rC
+DK6nBxll6yJs5V8z9/fTTW8YjTFS1XZPMozjZwzXUFF4UPISLzJ2RPDFQpHh/68d3JHxv/S+em5R
+tIgTDbNGvsKqKyKMqlJuy90fok5Udm2PyuaDSm7CtiVB+wrD/6MYl8UFr2Jmm2TyoeMnk2/130hY
+PWa8X+jA5ZhbpcL3ehNMC2orMX8p0CjL8XHNfsHQXqzUtfp3a5deVmfsbA41Cmns6xGby9yRIpDe
+IcZ7OU1U7vbURp1Zw3cjlspnGk4CtNjZLFgoAqAMiWZEfkpcB3RKPa1yCZjTsCg+BqeZds5ptgdB
+TDU7dTI7anbua2qL5TDPcQ9xrQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAVyQ+cXiXQWKdGRzL6
+Jldp5YgpRWXkTGwwD34LhtotKqgT20Q9xpjnnCgtUIjGMYIzT2uE+lRV0LP6unTbJzYnjOp0io9K
+WC8sYKwI2H9KXBZD9GgpsC0KI7OwVpmsEUgQgGJ0YG2Q8wSGLDYNb70ivSHG11VMxbTrmbFIcIo8
+nPUnLwaKtGyC5DVq5CjzzrQo0cfHz5VCICUS2LlBbf5KxGwcMl0K1/8HI/vjz2lAXVaWbVI3x+uk
+qVG76r0/x0bdF0McDQ/mGpe5/dgTqET/1sO8NmztVVnNxbOStQvKDiOXvwbcIAnslEgYz7KPTK0F
+kHl8wEIxQYS/DxVgVgNl
+-----END CERTIFICATE-----

api-gateway/config/certificates/espooad-internal-staging.2022.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIC8DCCAdigAwIBAgIQFkukTbLKSpZOUneiDYAeejANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
+EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEyMjAxMTQy
+MjZaFw0yNTEyMjAxMTQwNDNaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
+U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq39db8+lOShk
+lO5GfBstyCoLhrOf/sZkHL0ves3e7rlz2UedeGI62xI/Hz2yQFLnqH3UVFyw4Devzyy8WwzWKGO/
+UR1lxFaa8zs3GMB29ii0vkvD7HDx5fZcRRGnFvIxsMqvHnYC2QomYvQg9c/gCp9wh3a/nHC9qdKK
+FfOGbRLYI0rP6x74XlMvy09p5xM8JiiMPS7VZgAZO2S6U+hTgHQmLy6UUHYcetIs2cKh0ZKG4MLN
+M5+YhrLalcl6eLxCKdkbusU14wFAVrk3XmZ+QNT7tSTHGYwbienqJnNP1g3kQ+TadMEac0wuqhs7
+A2QTwS4klmr9yfxMaPH2rJU9YQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAk5U6tBA4omZQ/I0Hu
+XyFb14TKuFP9S+z1znncQNc2JQ9W+ugUlQsyHuZn+yZ+WoQtZiqUOqGmBqCZoUheN0+g3Ls79/03
+xCed4I6E7ntHhxXqsNtVTwTf0+shFdOrFYbmllqbZ3e03NwLg+zTpwrzJWgnBcpprCALyddCAHPE
+xRc9JqHr4M88oOfFpOlOzErWtoo2OmoUSLxeKcMo1WMsvDp/Uwa7Z2g69gvQG58m1vy29Bxr6/en
+3G0SwOUVaIDXJ7P4TRNEKkokjt9VHnKTIjTj5pnxyCFRdwWDhYFhzjqCfX7rl/kGfnsKcye5nDz7
+cgl1KCRUEUI/F7NCvVA+
+-----END CERTIFICATE-----

api-gateway/config/certificates/fetch-idp-certs.py

@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+import sys
+import urllib.request
+import xml.etree.ElementTree as ET
+from typing import List, Optional
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import serialization
+
+# Newlines included as f-strings can't contain escapes
+PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
+PEM_FOOTER = "\n-----END CERTIFICATE-----"
+SAML_NS = "{urn:oasis:names:tc:SAML:2.0:metadata}"
+ENTITY_ID_KEY = "entityID"
+ENTITY_DESCRIPTOR_TAG = f"{SAML_NS}EntityDescriptor"
+
+
+def usage_exit():
+    print("Usage: pipenv run ./fetch-idp-certs.py <metadata url> [<entity ID>]")
+    print()
+    print("Fetch and extract public certificates from SAML 2.0 metadata URL")
+    exit(0)
+
+
+def write_cert_to_file(cert_string: str) -> str:
+    complete_cert = f"{PEM_HEADER}{cert_string.strip()}{PEM_FOOTER}"
+
+    cert = x509.load_pem_x509_certificate(bytes(complete_cert, "utf-8"), default_backend())
+
+    # Reasonable assumption that there's a single Common Name in the Subject
+    common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+
+    # Some CNs are silly, like "Microsoft Azure Federated SSO Certificate", let the user decide
+    filename = input(f'Select filename for certificate (default: "{common_name}.pem"): ') or f"{common_name}.pem"
+
+    f = open(filename, "wb")
+    f.write(cert.public_bytes(serialization.Encoding.PEM))
+    f.close()
+    return f.name
+
+
+def select_entity_from_metadata(tree: ET.Element, entity_id: Optional[str] = None) -> ET.Element:
+    if tree.tag == ENTITY_DESCRIPTOR_TAG:
+        # The metadata only contains a single entity (e.g. Azure AD metadata)
+        print(f"Metadata only contains a single entity, proceeding with it: {tree.get(ENTITY_ID_KEY)}")
+        return tree
+
+    entities = {x.get(ENTITY_ID_KEY): x for x in tree.findall(ENTITY_DESCRIPTOR_TAG)}
+    print(len(entities))
+
+    selected_entity: ET.Element = None
+    if entity_id is not None:
+        try:
+            selected_entity = next((entities[key] for key in entities if key == entity_id))
+        except StopIteration:
+            print(f'ERROR: No entityID "{entity_id}" found in metadata!')
+            exit(1)
+    else:
+        print("Found entities:", *entities.keys(), sep="\n")
+        selected_entity_id = input("Enter ID of entity to use: ")
+        try:
+            selected_entity = entities[selected_entity_id]
+        except KeyError:
+            print(f'ERROR: No entity "{selected_entity_id}" in metadata!')
+            exit(1)
+
+    return selected_entity
+
+
+def find_signing_certs(entity: ET.Element) -> List[ET.Element]:
+    xPathX509Cert = "".join(
+        [
+            "./",
+            f"{SAML_NS}",
+            "IDPSSODescriptor/",
+            f"{SAML_NS}",
+            'KeyDescriptor[@use="signing"]//',
+            "{http://www.w3.org/2000/09/xmldsig#}",
+            "X509Certificate",
+        ]
+    )
+    return entity.findall(xPathX509Cert)
+
+
+def main(metadata_url: str, entity_id: Optional[str] = None):
+    response = urllib.request.urlopen(metadata_url).read()
+    tree = ET.fromstring(response)
+
+    selected_entity = select_entity_from_metadata(tree, entity_id)
+
+    signing_certs = find_signing_certs(selected_entity)
+    if len(signing_certs) < 1:
+        print("ERROR: Couldn't find any signing certificates in the metadata!")
+        exit(1)
+
+    for cert in signing_certs:
+        filename = write_cert_to_file(cert.text)
+        print(f"Exported PEM certificate: {filename}")
+
+
+if len(sys.argv) < 2 or sys.argv[1] in ["--help", "-h"]:
+    usage_exit()
+
+metadata_url = sys.argv[1]
+entity_id = sys.argv[2] if len(sys.argv) >= 3 else None
+
+main(metadata_url, entity_id)

api-gateway/config/certificates/idp.staging.espoon-voltti.fi.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUYIj1NhBk0OCaOgdmL49eLdewlpwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaWRwLnRlc3QuZXNwb29uLXZvbHR0aS5maTAeFw0xODA0
+MTAxNzQ5MjFaFw0zODA0MTAxNzQ5MjFaMCQxIjAgBgNVBAMMGWlkcC50ZXN0LmVz
+cG9vbi12b2x0dGkuZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr
+Mm4LYAQ0QgYbgrcKRUvO1wtCGPVOeDSsZRSX50KVKpBetwO2slmXQIUd4ngdhoPR
+wHcaTeOnbnlrAB+Ex19FuuHUFXkBbbXlf50jEzk8XlD7FALNXzB3bm3KQDGjQq32
+Tjx/fuLIQzEI3kRm+Z63wc+e//iToUpCM9WdSA2OLyp/tPWYyRjajkjDHuviYx1t
+EhAq8rPB4n3sxW0YPdzjA6HF++xAbCWOU5+Rf6v5r+oXpPmdsRJuRYPPWO03++5C
+uPYA/3Uz4+bAHS7Vr3Xmb/+VWjsBa6+gUckdc9dhZZXd4AOb/Y3Qn2oWBl094123
+pqqJ+bFi6i2v6hjX5SrLAgMBAAGjeTB3MB0GA1UdDgQWBBRsEih8RF6F/IBlm4Q+
+SOLSDMwx/zBWBgNVHREETzBNghlpZHAudGVzdC5lc3Bvb24tdm9sdHRpLmZphjBo
+dHRwczovL2lkcC50ZXN0LmVzcG9vbi12b2x0dGkuZmkvaWRwL3NoaWJib2xldGgw
+DQYJKoZIhvcNAQELBQADggEBABLMhlCrXLfIU5+5JGhipZWUaoyuwL4VRpgPo5GM
+m6gqcd6f9Pjyt8VxgFQDXxi4leXsQGGzJuib2jiJTafjoZTKxJl4VNJTgGVE7GL0
+aA5z4qMK0eig/Jrkml219R4Op2xf9VjcdabZTb1l/SryALyRVBTaTEeIHrHDtKk5
+ZA/EcatmkllreMX4NOI1UrIq6oDCmuO7QXvsAhvcPRbjk5hWan9OnBQoM83Fbx1s
+u4vnJOKvNhj2q2B6CYsEZ/6Nkzc7I5bj4qIsR4Ips5XWcaECT/UA2Vt6NDctngrF
+WfffY+vUUrhNu/pn8VgN7qvcfj5kxmNR1sEmWjuFk9BEacA=
+-----END CERTIFICATE-----

api-gateway/config/certificates/idp.test.espoon-voltti.fi.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUYIj1NhBk0OCaOgdmL49eLdewlpwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaWRwLnRlc3QuZXNwb29uLXZvbHR0aS5maTAeFw0xODA0
+MTAxNzQ5MjFaFw0zODA0MTAxNzQ5MjFaMCQxIjAgBgNVBAMMGWlkcC50ZXN0LmVz
+cG9vbi12b2x0dGkuZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr
+Mm4LYAQ0QgYbgrcKRUvO1wtCGPVOeDSsZRSX50KVKpBetwO2slmXQIUd4ngdhoPR
+wHcaTeOnbnlrAB+Ex19FuuHUFXkBbbXlf50jEzk8XlD7FALNXzB3bm3KQDGjQq32
+Tjx/fuLIQzEI3kRm+Z63wc+e//iToUpCM9WdSA2OLyp/tPWYyRjajkjDHuviYx1t
+EhAq8rPB4n3sxW0YPdzjA6HF++xAbCWOU5+Rf6v5r+oXpPmdsRJuRYPPWO03++5C
+uPYA/3Uz4+bAHS7Vr3Xmb/+VWjsBa6+gUckdc9dhZZXd4AOb/Y3Qn2oWBl094123
+pqqJ+bFi6i2v6hjX5SrLAgMBAAGjeTB3MB0GA1UdDgQWBBRsEih8RF6F/IBlm4Q+
+SOLSDMwx/zBWBgNVHREETzBNghlpZHAudGVzdC5lc3Bvb24tdm9sdHRpLmZphjBo
+dHRwczovL2lkcC50ZXN0LmVzcG9vbi12b2x0dGkuZmkvaWRwL3NoaWJib2xldGgw
+DQYJKoZIhvcNAQELBQADggEBABLMhlCrXLfIU5+5JGhipZWUaoyuwL4VRpgPo5GM
+m6gqcd6f9Pjyt8VxgFQDXxi4leXsQGGzJuib2jiJTafjoZTKxJl4VNJTgGVE7GL0
+aA5z4qMK0eig/Jrkml219R4Op2xf9VjcdabZTb1l/SryALyRVBTaTEeIHrHDtKk5
+ZA/EcatmkllreMX4NOI1UrIq6oDCmuO7QXvsAhvcPRbjk5hWan9OnBQoM83Fbx1s
+u4vnJOKvNhj2q2B6CYsEZ/6Nkzc7I5bj4qIsR4Ips5XWcaECT/UA2Vt6NDctngrF
+WfffY+vUUrhNu/pn8VgN7qvcfj5kxmNR1sEmWjuFk9BEacA=
+-----END CERTIFICATE-----

api-gateway/config/certificates/pyproject.toml

@@ -0,0 +1,28 @@
+[tool.black]
+line-length = 120
+target_version = ['py38']
+include = '\.pyi?$'
+exclude = '''
+/(
+    \.eggs
+  | \.git
+  | \.github
+  | \.hg
+  | \.mypy_cache
+  | \.tox
+  | \.pyre_configuration
+  | \.venv
+  | \.terraform
+  | _build
+  | buck-out
+  | build
+  | dist
+  | pipenv/vendor
+  | pipenv/patched
+  | tests/pypi
+  | tests/pytest-pypi
+  | tests/test_artifacts
+  | get-pipenv.py
+  | XDG_CACHE_HOME
+)
+'''

api-gateway/config/test-cert/jwt_private_key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDNBrQ0W+nl4Ujj
+Id0LuyorfX2QVN4KSTw27a70cNaUwAEiy69AumQMi/G2Z+a74IEWsOq/7dQAKzza
+gpYYlP1FhNc7G6WC1R3LbKVaFVIqrDM2CFnvUPyEyj6CHZHUPJy3MPJwu5AGZDl8
+oQivRRcwmKwIYZwdNKSbRSzUHCOn+9lkBj8sx/y+4DCgtJtkUZ16YAJe37PkRxA8
+Tot2ezk2MmsaCZIESaLRqOOPj9JavrvxYgA0Kkui+GmSY5zpi5pKw4jX6daTVEA0
+Y+UYzYMcvsrQEaOAz6Vjj4PX4ypxRc9WhUKm0BNfvz7QvxWgBX5XrvYj1lnS4afe
+BH+cBNnx8BSk2jVckDn1k8XMh9Jo85bfOuAJ2smBC/C8uGPmsJ9OBt+kah4oons8
+sS4GQAuS/d77LwUGsL9E6+ZlNlIbyRTeVLtf5UCNv0S15Uc8pPK+FasVv+E0npBw
+P4XpVDoaZMs6k3rEVZZ1ic2t6MiEbfpSM31bKa2ZwPmAKyAzqzkNUiIksICD8RFP
+DsSVFAwtRvcOJu9eP5CUU9PQ4QGNLqcRiqjlFLWfZAqs3oz6uOaEx/mrVdCh27WP
+AnWqLzPFDtmtxJSzhylFUad2psufgwfVe7Jo5+EJWhTlRGiMmZqmJcWAc/vde6US
+CetDlXMy4RSPZtQj5t/lPZbDx2QO/QIDAQABAoICABs8Yr/53c596PLTUsv2Jxnz
+57Q+sehn5ind1Tn/q2HDR+NZb4SHvja0eH2ku9AFeOCMzAKHE3yaQdE9O7c0Q5jy
+lqzxdUE2Emktm6Gl525nxb3NyjSya3kwbLFYQEETdDYZuHslT3Kp6cEWm1K9OOFp
+xqCuZtCyZ5OA0v2yZ0IvgKd69PV786VfntYaZ/IhrWvOSUJVMU6H6i44uOoaYHVE
+qVmiH9WV+p0jdGdj0avgXpMoU6KaY8XYfh3GQdf8hZic9RbJp4mWzZioFI0A8APn
+jIWrci7wZqYdMISDVuYJQgvaVApY5dn4S93rJHJHiIsZYPVNykzrUSN7MYCGXHU8
+XF3T7KQj3Xne5H8DpHxl3hW1V9Fxpl5DzxQ+93e9leV2BAS9rDZvaRJY5sLsteMG
+qCfWj6U20C/71xGJpGqCS0AhpmiweAhp8D2bMo70MKaRa1oM8Hfmj6ubtcGlHRHG
+xhgFyO4LVE+/DZXCIhbU2v4kIwlN/Asf80AJFBV/+TnqnGG5jsYpnjrqQMLVZ25I
+lcNnfDuXj47tWqKIFLiqpIuwQEcqBNJCaVvl1XGnyU6/Fs8pvPlUB6qhsxQyfUFw
+9eKNgw+1Qg+Vl/HGoq4IDqhaZftu3HCuBGFMoGjtKJ6j+Rtl+tE+Qy4jFGddZD+w
+LMGGUoMDp8kUY3g1JpjBAoIBAQDxykhVwSDQ1nGN7Rax9DuSzaUhrER0WENnxL1S
+I5A5tNsBq1kYpn4Pg6I2OUur1kCEjHRVPYkoeelwtcODQxuNu5BqenvNZDAnJDFg
+5kfdqtQHpQCdF6kxJv0mVaje/WRAhRpll77qgAIWfP1EuoURzAGHodkv+09kv2z6
+axeBWcEUVOSl4sCkylCEMhIRV6ANpkCtJn7YyvVo3IZI/WXk8fg0BOK0I4tHbYTd
+f+FmS0zzheActoPbtwCrkJ/XCY0kW70hjhr7f+njZsedl2AGkqxiBQfjF02bsgNR
+7jpkSEoRe9sGGVQFVWR7uuCOiU1wpbShbyfqfbIjY2V/2GQZAoIBAQDZE09Gzq5p
+iZLVBf8q3PDpNgm28dJprrMjdL54yO7AYVUWr6fG0v6+B9eVrpLWweLHF+DtM6YJ
+9vCucPzzoiOdVVoA4SNn4UeZowfMLlD4dSz6gE4sTJuC1NTq7HZ6kV8qkgaoxY/3
+kwmrf5i2pKPxCMPYz/9UDDy3bh9Lo5FPuXx4bTQa1Umq1RBJp9PtpL2u0RFORqK3
+MLMQFoXab0iIxmEfPhvVTxX1GtL9EkoKPd70z5a/mLQr1l6Lp+GK/iv4oEyiJ6uI
+I8ZbgZHZYM5uf9oWX8E1BBYfCexTswbxtBubJX8cqXSNh1v6cT2/Wm1HIqVH8548
+3+nwBIm4yj6FAoIBAQDElKTY68slX6Q1MtSn3BzvTzj5tph1SymKXX9bH8Tr1enV
+Yp1umDaXoHsqwMyQKgKMgbE3eG9iNDQiSfVqbA4j3qIcn/a118X6nMd0s+UsCO6Y
+RIPKNOl/J+bb2vsQSU3P0yfR/1zeRTLtW7OCxG7aOFXqEyGEjDtRev08YANdTD7Z
+q+e2IzRjBoYN5LOh2+8qCcg9vrWUxvZdyiV3hGXqjPwyNuKmeNuNODK073qvc3td
+5rN+RLnR0ei+lDgQWhihveB4PpQbdDURiIe0zdTpoyh6DQMLk++qLUHbw+c/jzKB
+IoTBYahZKcMngZl+6YzHkEHamogGcyl48iAcoC9JAoIBAQCqmDJFQ0huSF/MadoO
+pXPu0zjvPTxPMaw2wRivc7muFs/39DO2XTs1vJQAXiGoBNdj/7AUufJTAm5DqSgh
+j9rNWrZQ2p4olTLf2u/V1tBrcirW8t58kffk6b4qoYq66GQR4JC7MgfiWPvQe4ZY
+gysT0f+X9F6Eftl4jmKp3vHj5bGcMrYwIE60op0aRXqX2E/5gvRGv9xAe1U933Vy
+JOKsGrtZAkZ9bJmk9l+54xWs1tLRMhMWn7t4eA/1UQo/YWDNE60mAmcbpoHMiBdG
+7n1M+c06qCX+tCduXS4M2TUr3o+TbfRnYgTm9Omj+Dq+lyIqNWAPG7XPwWjn56kU
+QFzBAoIBAQC548trc8x1ItUJcMaPFzFnIxQUnSdCNA/PIpc1Nef9ly98tjoOClpp
+yHNHaeVmHmDsGTk2917N7yQtSCs10gyy+Eum826th9BUnnBQYY5afvanZkJkelbU
+SioYpqrKJuVd5OHmwaTYmim4a4b+K5AyZ4JGxNYHMEaFOpwYvvNVioSes6zwTrrP
+VSExNY/EyBkX1ot663NrxYEdkCzDVVxn1gg598YKc8nR/7PVLO2m7Ls7sXdg1VLy
+WeSyGGVRJsjVmQxRSV9bc9tPqKtuTivBAiygrC4KUKG6065jqB73oZzTLttx2XoG
+BTt5KZ8Bn3Q0zHjiU8mdNyKnWgFwdjWb
+-----END PRIVATE KEY-----

api-gateway/config/test-cert/jwt_public_key.pem

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzQa0NFvp5eFI4yHdC7sq
+K319kFTeCkk8Nu2u9HDWlMABIsuvQLpkDIvxtmfmu+CBFrDqv+3UACs82oKWGJT9
+RYTXOxulgtUdy2ylWhVSKqwzNghZ71D8hMo+gh2R1DyctzDycLuQBmQ5fKEIr0UX
+MJisCGGcHTSkm0Us1Bwjp/vZZAY/LMf8vuAwoLSbZFGdemACXt+z5EcQPE6Ldns5
+NjJrGgmSBEmi0ajjj4/SWr678WIANCpLovhpkmOc6YuaSsOI1+nWk1RANGPlGM2D
+HL7K0BGjgM+lY4+D1+MqcUXPVoVCptATX78+0L8VoAV+V672I9ZZ0uGn3gR/nATZ
+8fAUpNo1XJA59ZPFzIfSaPOW3zrgCdrJgQvwvLhj5rCfTgbfpGoeKKJ7PLEuBkAL
+kv3e+y8FBrC/ROvmZTZSG8kU3lS7X+VAjb9EteVHPKTyvhWrFb/hNJ6QcD+F6VQ6
+GmTLOpN6xFWWdYnNrejIhG36UjN9WymtmcD5gCsgM6s5DVIiJLCAg/ERTw7ElRQM
+LUb3DibvXj+QlFPT0OEBjS6nEYqo5RS1n2QKrN6M+rjmhMf5q1XQodu1jwJ1qi8z
+xQ7ZrcSUs4cpRVGndqbLn4MH1XuyaOfhCVoU5URojJmapiXFgHP73XulEgnrQ5Vz
+MuEUj2bUI+bf5T2Ww8dkDv0CAwEAAQ==
+-----END PUBLIC KEY-----

api-gateway/package.json

@@ -11,14 +11,44 @@
     "dev": "tsc --build . && concurrently --prefix '[{name}]' --names 'tsc,nodemon' 'tsc --build --preserveWatchOutput -w .' 'NODE_ENV=local nodemon dist/index.js'"
   },
   "dependencies": {
+    "@node-saml/node-saml": "^4.0.5",
+    "@node-saml/passport-saml": "^4.0.4",
+    "axios": "^1.6.0",
+    "connect-redis": "^7.1.0",
+    "cookie-parser": "^1.4.6",
+    "csurf": "^1.11.0",
+    "fast-xml-parser": "^4.3.1",
     "express": "^4.18.2",
     "express-http-proxy": "^2.0.0",
+    "express-session": "^1.17.3",
     "helmet": "^7.1.0",
-    "source-map-support": "^0.5.21"
+    "jsonwebtoken": "^9.0.0",
+    "lodash": "^4.17.21",
+    "make-error-cause": "^2.3.0",
+    "nocache": "^4.0.0",
+    "passport": "^0.6.0",
+    "pino": "^8.16.0",
+    "pino-http": "^8.5.0",
+    "pino-pretty": "^10.2.0",
+    "redis": "^4.6.7",
+    "query-string": "^8.1.0",
+    "source-map-support": "^0.5.21",
+    "zod": "^3.22.3"
   },
   "devDependencies": {
+    "@types/cookie-parser": "^1.4.3",
+    "@types/csurf": "^1.11.2",
     "@types/express-http-proxy": "^1.6.6",
+    "@types/express-session": "^1.17.7",
+    "@types/jsonwebtoken": "^9.0.2",
+    "@types/lodash": "^4.14.195",
     "@types/node": "^20.9.0",
+    "@types/passport": "^1.0.12",
+    "@types/passport-strategy": "^0.2.35",
+    "@types/pino-http": "^5.8.1",
+    "@types/pino-pretty": "^5.0.0",
+    "@types/pino-std-serializers": "^4.0.0",
+    "@types/redis": "^4.0.11",
     "@types/source-map-support": "^0.5.10",
     "@typescript-eslint/eslint-plugin": "^6.12.0",
     "@typescript-eslint/parser": "^6.12.0",