Pin 5687: Verify tenant certified attributes for agreement creation

packages/agreement-process/src/model/domain/agreement-validators.ts

@@ -14,6 +14,8 @@ import {
   EServiceId,
   unsafeBrandId,
   TenantId,
+  Delegation,
+  delegationState,
 } from "pagopa-interop-models";
 import { agreementApi } from "pagopa-interop-api-clients";
 import { AuthData } from "pagopa-interop-commons";
@@ -29,12 +31,15 @@ import {
   agreementAlreadyExists,
   agreementNotInExpectedState,
   agreementSubmissionFailed,
+  delegationNotActive,
   descriptorNotFound,
   descriptorNotInExpectedState,
   documentChangeNotAllowed,
   missingCertifiedAttributesError,
   notLatestEServiceDescriptor,
   operationNotAllowed,
+  operationRestrictedToDelegate,
+  tenantIsNotRequester,
 } from "./errors.js";
 import {
   CertifiedAgreementAttribute,
@@ -189,6 +194,30 @@ export const assertActivableState = (agreement: Agreement): void => {
   }
 };
 
+export const assertIsDelegate = (
+  delegation: Delegation,
+  delegateId: TenantId
+): void => {
+  if (delegation.delegateId !== delegateId) {
+    throw operationRestrictedToDelegate(delegateId, delegation.id);
+  }
+};
+
+export const assertDelegationIsActive = (delegation: Delegation): void => {
+  if (delegation.state !== delegationState.active) {
+    throw delegationNotActive(delegation.id);
+  }
+};
+
+export const assertTenantIsRequester = (
+  organizationId: TenantId,
+  tenantId: TenantId
+): void => {
+  if (organizationId !== tenantId) {
+    throw tenantIsNotRequester(organizationId, tenantId);
+  }
+};
+
 /* =========  VALIDATIONS ========= */
 
 const validateDescriptorState = (

packages/agreement-process/src/model/domain/errors.ts

@@ -40,6 +40,10 @@ export const errorCodes = {
   consumerWithNotValidEmail: "0024",
   agreementDocumentAlreadyExists: "0025",
   userNotFound: "0026",
+  delegationNotFound: "0027",
+  operationRestrictedToDelegate: "0028",
+  delegationNotActive: "0029",
+  tenantIsNotRequester: "0030",
 };
 
 export type ErrorCodes = keyof typeof errorCodes;
@@ -308,3 +312,43 @@ export function attributeNotFound(
     title: "Attribute not found",
   });
 }
+
+export function delegationNotFound(delegationId: string): ApiError<ErrorCodes> {
+  return new ApiError({
+    detail: `Delegation ${delegationId} not found`,
+    code: "delegationNotFound",
+    title: "Delegation not found",
+  });
+}
+
+export function operationRestrictedToDelegate(
+  tenantId: string,
+  delegationId: string
+): ApiError<ErrorCodes> {
+  return new ApiError({
+    detail: `Tenant ${tenantId} is not a delegate for delegation ${delegationId}`,
+    code: "operationRestrictedToDelegate",
+    title: "Operation restricted to delegate",
+  });
+}
+
+export function delegationNotActive(
+  delegationId: string
+): ApiError<ErrorCodes> {
+  return new ApiError({
+    detail: `Delegation ${delegationId} is not active`,
+    code: "delegationNotActive",
+    title: "Delegation not active",
+  });
+}
+
+export function tenantIsNotRequester(
+  organizationId: string,
+  tenantId: string
+): ApiError<ErrorCodes> {
+  return new ApiError({
+    detail: `Requester ${organizationId} is not the same as tenant ${tenantId}`,
+    code: "tenantIsNotRequester",
+    title: "Tenant is not requester",
+  });
+}