IMN-521 Authorization-server (#1134)

Co-authored-by: Stefano Hu <[email protected]>

docker/docker-compose.yml

@@ -78,7 +78,7 @@ services:
       - dynamodb-local
     restart: always
     ports:
-      - "8002:8002"
+      - "8002:8001"
     environment:
       - DYNAMO_ENDPOINT=http://dynamodb-local:8000
       - AWS_REGION=eu-south-1

package.json

@@ -35,6 +35,7 @@
     "start:delegation": "turbo start --filter pagopa-interop-delegation-process",
     "start:delegation-readmodel-writer": "turbo start --filter pagopa-interop-delegation-readmodel-writer",
     "start:datalake-data-export": "turbo start --filter pagopa-interop-datalake-data-export",
+    "start:authorization-server": "turbo start --filter pagopa-interop-authorization-server",
     "test": "turbo test",
     "build": "turbo build",
     "check": "turbo check",

packages/api-clients/open-api/authorizationServerApi.yml

@@ -0,0 +1,215 @@
+openapi: 3.0.3
+info:
+  title: Interoperability Authorization Server Micro Service
+  description: Provides endpoints to request an interoperability token
+  version: "0.1.0"
+  contact:
+    name: API Support
+    url: "http://www.example.com/support"
+    email: [email protected]
+  termsOfService: "http://swagger.io/terms/"
+  x-api-id: an x-api-id
+  x-summary: an x-summary
+servers:
+  - url: "/authorization-server"
+    description: Interoperability Authorization Server
+tags:
+  - name: auth
+    description: Get security information
+    externalDocs:
+      description: Find out more
+      url: http://swagger.io
+  - name: health
+    description: Verify service status
+    externalDocs:
+      description: Find out more
+      url: http://swagger.io
+paths:
+  "/token.oauth2":
+    post:
+      tags:
+        - auth
+      summary: Create a new access token
+      description: Return the generated access token
+      operationId: createToken
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: "#/components/schemas/AccessTokenRequest"
+      responses:
+        "200":
+          description: The Access token
+          headers:
+            Cache-Control:
+              schema:
+                type: string
+                default: no-cache, no-store
+              description: no-cache, no-store
+            "X-Rate-Limit-Limit":
+              schema:
+                type: integer
+              description: Max allowed requests within time interval
+            "X-Rate-Limit-Remaining":
+              schema:
+                type: integer
+              description: Remaining requests within time interval
+            "X-Rate-Limit-Interval":
+              schema:
+                type: integer
+              description: Time interval in milliseconds. Allowed requests will be constantly replenished during the interval. At the end of the interval the max allowed requests will be available
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ClientCredentialsResponse"
+        "400":
+          description: Bad request
+          x-noqa: RFC6749
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+        "401":
+          description: Unauthorized
+          x-noqa: RFC6749
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+          headers:
+            "X-Rate-Limit-Limit":
+              schema:
+                type: integer
+              description: Max allowed requests within time interval
+            "X-Rate-Limit-Remaining":
+              schema:
+                type: integer
+              description: Remaining requests within time interval
+            "X-Rate-Limit-Interval":
+              schema:
+                type: integer
+              description: Time interval in milliseconds. Allowed requests will be constantly replenished during the interval. At the end of the interval the max allowed requests will be available
+  /status:
+    get:
+      security: []
+      summary: Returns the application status
+      description: Returns the application status
+      operationId: get_status
+      tags:
+        - health
+      responses:
+        "200":
+          description: This is the valid status from the server.
+          content:
+            application/problem+json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+components:
+  schemas:
+    AccessTokenRequest:
+      type: object
+      required:
+        - client_assertion
+        - client_assertion_type
+        - grant_type
+      properties:
+        client_id:
+          type: string
+          example: e58035ce-c753-4f72-b613-46f8a17b71cc
+        client_assertion:
+          type: string
+          format: jws
+        client_assertion_type:
+          type: string
+          example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
+        grant_type:
+          type: string
+          enum:
+            - client_credentials
+    TokenType:
+      type: string
+      description: Represents the token type
+      enum:
+        - Bearer
+    ClientCredentialsResponse:
+      type: object
+      required:
+        - access_token
+        - token_type
+        - expires_in
+      properties:
+        access_token:
+          type: string
+          format: jws
+        token_type:
+          $ref: "#/components/schemas/TokenType"
+        expires_in:
+          type: integer
+          format: int32
+          maximum: 600
+    Problem:
+      properties:
+        type:
+          description: URI reference of type definition
+          type: string
+        status:
+          description: The HTTP status code generated by the origin server for this occurrence of the problem.
+          example: 400
+          exclusiveMaximum: true
+          format: int32
+          maximum: 600
+          minimum: 100
+          type: integer
+        title:
+          description: A short, summary of the problem type. Written in english and readable
+          example: Service Unavailable
+          maxLength: 64
+          pattern: "^[ -~]{0,64}$"
+          type: string
+        correlationId:
+          description: Unique identifier of the request
+          example: "53af4f2d-0c87-41ef-a645-b726a821852b"
+          maxLength: 64
+          type: string
+        detail:
+          description: A human readable explanation of the problem.
+          example: Request took too long to complete.
+          maxLength: 4096
+          pattern: "^.{0,1024}$"
+          type: string
+        errors:
+          type: array
+          minItems: 0
+          items:
+            $ref: "#/components/schemas/ProblemError"
+      additionalProperties: false
+      required:
+        - type
+        - status
+        - title
+        - errors
+    ProblemError:
+      properties:
+        code:
+          description: Internal code of the error
+          example: 123-4567
+          minLength: 8
+          maxLength: 8
+          pattern: "^[0-9]{3}-[0-9]{4}$"
+          type: string
+        detail:
+          description: A human readable explanation specific to this occurrence of the problem.
+          example: Parameter not valid
+          maxLength: 4096
+          pattern: "^.{0,1024}$"
+          type: string
+      required:
+        - code
+        - detail

packages/api-clients/src/index.ts

@@ -11,3 +11,4 @@ export * as apiGatewayApi from "./apiGatewayApi.js";
 export * as notifierApi from "./generated/notifierApi.js";
 export * as delegationApi from "./generated/delegationApi.js";
 export * from "./selfcareClients.js";
+export * as authorizationServerApi from "./generated/authorizationServerApi.js";

packages/authorization-server/.env

@@ -0,0 +1,40 @@
+HOST=0.0.0.0
+PORT=3300
+LOG_LEVEL=info
+
+AWS_CONFIG_FILE=aws.config.local
+TOKEN_GENERATION_READMODEL_TABLE_NAME_PLATFORM="platform-states"
+TOKEN_GENERATION_READMODEL_TABLE_NAME_TOKEN_GENERATION="token-generation-states"
+
+AWS_REGION="eu-south-1"
+
+CLIENT_ASSERTION_AUDIENCE="test.interop.pagopa.it"
+
+GENERATED_INTEROP_TOKEN_ALGORITHM="RS256"
+GENERATED_INTEROP_TOKEN_KID="ffcc9b5b-4612-49b1-9374-9d203a3834f2"
+GENERATED_INTEROP_TOKEN_ISSUER="test"
+GENERATED_INTEROP_TOKEN_M2M_AUDIENCE="test.interop.pagopa.it"
+GENERATED_INTEROP_TOKEN_M2M_DURATION_SECONDS=60
+TOKEN_AUDITING_TOPIC="authorization-server.generated-jwt"
+
+RATE_LIMITER_BURST_PERCENTAGE="0"
+RATE_LIMITER_MAX_REQUESTS="10"
+RATE_LIMITER_RATE_INTERVAL_MILLIS="1000"
+RATE_LIMITER_REDIS_HOST="localhost"
+RATE_LIMITER_REDIS_PORT="6379"
+RATE_LIMITER_TIMEOUT_MILLIS="300"
+
+PRODUCER_KAFKA_CLIENT_ID="authorization-server"
+PRODUCER_KAFKA_BROKERS="localhost:9092"
+PRODUCER_KAFKA_DISABLE_AWS_IAM_AUTH="true"
+
+S3_BUCKET=interop-local-bucket
+S3_CUSTOM_SERVER=true
+S3_SERVER_HOST=http://localhost
+S3_SERVER_PORT=9000
+
+KAFKA_CLIENT_ID="authorization-server"
+KAFKA_GROUP_ID="authorization-server-group"
+KAFKA_BROKERS="localhost:9092"
+KAFKA_DISABLE_AWS_IAM_AUTH="true"
+

packages/authorization-server/Dockerfile

@@ -0,0 +1,51 @@
+FROM node:20.14.0-slim@sha256:5e8ac65a0231d76a388683d07ca36a9769ab019a85d85169fe28e206f7a3208e as build
+
+RUN corepack enable
+
+WORKDIR /app
+COPY package.json /app/
+COPY pnpm-lock.yaml /app/
+COPY pnpm-workspace.yaml /app/
+COPY .npmrc /app/
+
+COPY ./packages/authorization-server/package.json /app/packages/authorization-server/package.json
+COPY ./packages/commons/package.json /app/packages/commons/package.json
+COPY ./packages/models/package.json /app/packages/models/package.json
+COPY ./packages/client-assertion-validation/package.json /app/packages/client-assertion-validation/package.json
+COPY ./packages/kafka-iam-auth/package.json /app/packages/kafka-iam-auth/package.json
+COPY ./packages/api-clients/package.json /app/packages/api-clients/package.json
+
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
+
+COPY tsconfig.json /app/
+COPY turbo.json /app/
+COPY ./packages/authorization-server /app/packages/authorization-server
+COPY ./packages/commons /app/packages/commons
+COPY ./packages/models /app/packages/models
+COPY ./packages/client-assertion-validation /app/packages/client-assertion-validation
+COPY ./packages/kafka-iam-auth /app/packages/kafka-iam-auth
+COPY ./packages/api-clients /app/packages/api-clients
+
+RUN pnpm build && \
+  rm -rf /app/node_modules/.modules.yaml && \
+  rm -rf /app/node_modules/.cache && \
+  mkdir /out && \
+  cp -a --parents -t /out \
+  node_modules packages/authorization-server/node_modules \
+  package*.json packages/authorization-server/package*.json \
+  packages/commons/ \
+  packages/models/ \
+  packages/client-assertion-validation/ \
+  packages/kafka-iam-auth/ \
+  packages/api-clients \
+  packages/authorization-server/dist && \
+  find /out -exec touch -h --date=@0 {} \;
+
+FROM node:20.14.0-slim@sha256:5e8ac65a0231d76a388683d07ca36a9769ab019a85d85169fe28e206f7a3208e as final 
+
+COPY --from=build /out /app
+
+WORKDIR /app/packages/authorization-server
+EXPOSE 3300
+
+CMD [ "node", "." ]

packages/authorization-server/aws.config.local

@@ -0,0 +1,12 @@
+[default]
+aws_access_key_id=testawskey
+aws_secret_access_key=testawssecret
+region=eu-south-1
+services=local
+
+[services local]
+dynamodb= 
+  endpoint_url=http://localhost:8085
+
+kms=
+  endpoint_url=http://localhost:4566