IMN-521 authorization server

package.json

@@ -33,6 +33,7 @@
     "start:pn-consumers": "turbo start --filter pagopa-interop-pn-consumers",
     "start:one-trust-notices": "turbo start --filter pagopa-interop-one-trust-notices",
     "start:datalake-data-export": "turbo start --filter pagopa-interop-datalake-data-export",
+    "start:authorization-server": "turbo start --filter pagopa-interop-authorization-server",
     "test": "turbo test",
     "build": "turbo build",
     "check": "turbo check",

packages/api-clients/open-api/authorizationServerApi.yml

@@ -0,0 +1,215 @@
+openapi: 3.0.3
+info:
+  title: Interoperability Authorization Server Micro Service
+  description: Provides endpoints to request an interoperability token
+  version: "0.1.0"
+  contact:
+    name: API Support
+    url: "http://www.example.com/support"
+    email: [email protected]
+  termsOfService: "http://swagger.io/terms/"
+  x-api-id: an x-api-id
+  x-summary: an x-summary
+servers:
+  - url: "/authorization-server"
+    description: Interoperability Authorization Server
+tags:
+  - name: auth
+    description: Get security information
+    externalDocs:
+      description: Find out more
+      url: http://swagger.io
+  - name: health
+    description: Verify service status
+    externalDocs:
+      description: Find out more
+      url: http://swagger.io
+paths:
+  "/token.oauth2":
+    post:
+      tags:
+        - auth
+      summary: Create a new access token
+      description: Return the generated access token
+      operationId: createToken
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: "#/components/schemas/AccessTokenRequest"
+      responses:
+        "200":
+          description: The Access token
+          headers:
+            Cache-Control:
+              schema:
+                type: string
+                default: no-cache, no-store
+              description: no-cache, no-store
+            "X-Rate-Limit-Limit":
+              schema:
+                type: integer
+              description: Max allowed requests within time interval
+            "X-Rate-Limit-Remaining":
+              schema:
+                type: integer
+              description: Remaining requests within time interval
+            "X-Rate-Limit-Interval":
+              schema:
+                type: integer
+              description: Time interval in milliseconds. Allowed requests will be constantly replenished during the interval. At the end of the interval the max allowed requests will be available
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ClientCredentialsResponse"
+        "400":
+          description: Bad request
+          x-noqa: RFC6749
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+        "401":
+          description: Unauthorized
+          x-noqa: RFC6749
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+          headers:
+            "X-Rate-Limit-Limit":
+              schema:
+                type: integer
+              description: Max allowed requests within time interval
+            "X-Rate-Limit-Remaining":
+              schema:
+                type: integer
+              description: Remaining requests within time interval
+            "X-Rate-Limit-Interval":
+              schema:
+                type: integer
+              description: Time interval in milliseconds. Allowed requests will be constantly replenished during the interval. At the end of the interval the max allowed requests will be available
+  /status:
+    get:
+      security: []
+      summary: Returns the application status
+      description: Returns the application status
+      operationId: get_status
+      tags:
+        - health
+      responses:
+        "200":
+          description: This is the valid status from the server.
+          content:
+            application/problem+json:
+              schema:
+                $ref: "#/components/schemas/Problem"
+components:
+  schemas:
+    AccessTokenRequest:
+      type: object
+      required:
+        - client_assertion
+        - client_assertion_type
+        - grant_type
+      properties:
+        client_id:
+          type: string
+          example: e58035ce-c753-4f72-b613-46f8a17b71cc
+        client_assertion:
+          type: string
+          format: jws
+        client_assertion_type:
+          type: string
+          example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
+        grant_type:
+          type: string
+          enum:
+            - client_credentials
+    TokenType:
+      type: string
+      description: Represents the token type
+      enum:
+        - Bearer
+    ClientCredentialsResponse:
+      type: object
+      required:
+        - access_token
+        - token_type
+        - expires_in
+      properties:
+        access_token:
+          type: string
+          format: jws
+        token_type:
+          $ref: "#/components/schemas/TokenType"
+        expires_in:
+          type: integer
+          format: int32
+          maximum: 600
+    Problem:
+      properties:
+        type:
+          description: URI reference of type definition
+          type: string
+        status:
+          description: The HTTP status code generated by the origin server for this occurrence of the problem.
+          example: 400
+          exclusiveMaximum: true
+          format: int32
+          maximum: 600
+          minimum: 100
+          type: integer
+        title:
+          description: A short, summary of the problem type. Written in english and readable
+          example: Service Unavailable
+          maxLength: 64
+          pattern: "^[ -~]{0,64}$"
+          type: string
+        correlationId:
+          description: Unique identifier of the request
+          example: "53af4f2d-0c87-41ef-a645-b726a821852b"
+          maxLength: 64
+          type: string
+        detail:
+          description: A human readable explanation of the problem.
+          example: Request took too long to complete.
+          maxLength: 4096
+          pattern: "^.{0,1024}$"
+          type: string
+        errors:
+          type: array
+          minItems: 0
+          items:
+            $ref: "#/components/schemas/ProblemError"
+      additionalProperties: false
+      required:
+        - type
+        - status
+        - title
+        - errors
+    ProblemError:
+      properties:
+        code:
+          description: Internal code of the error
+          example: 123-4567
+          minLength: 8
+          maxLength: 8
+          pattern: "^[0-9]{3}-[0-9]{4}$"
+          type: string
+        detail:
+          description: A human readable explanation specific to this occurrence of the problem.
+          example: Parameter not valid
+          maxLength: 4096
+          pattern: "^.{0,1024}$"
+          type: string
+      required:
+        - code
+        - detail

packages/api-clients/src/index.ts

@@ -10,3 +10,4 @@ export * as tenantApi from "./generated/tenantApi.js";
 export * as apiGatewayApi from "./apiGatewayApi.js";
 export * as notifierApi from "./generated/notifierApi.js";
 export * from "./selfcareClients.js";
+export * as authorizationServerApi from "./generated/authorizationServerApi.js";

packages/authorization-server/.env

@@ -0,0 +1,45 @@
+HOST=0.0.0.0
+PORT=3300
+LOG_LEVEL=info
+
+WELL_KNOWN_URLS="http://127.0.0.1:4500/jwks.json"
+ACCEPTED_AUDIENCES="dev.interop.pagopa.it/ui,refactor.dev.interop.pagopa.it/ui,dev.interop.pagopa.it/m2m,refactor.dev.interop.pagopa.it/m2m"
+
+# TODO: NOT SURE ABOUT THESE
+AWS_CONFIG_FILE=aws.config.local
+TOKEN_GENERATION_READMODEL_TABLE_NAME_PLATFORM="platform-states"
+TOKEN_GENERATION_READMODEL_TABLE_NAME_TOKEN_GENERATION="token-generation-states"
+
+AWS_REGION="eu-central-1"
+
+CLIENT_ASSERTION_AUDIENCE="test.interop.pagopa.it"
+
+GENERATED_INTEROP_TOKEN_ALGORITHM="RS256"
+GENERATED_INTEROP_TOKEN_KID="test"
+GENERATED_INTEROP_TOKEN_ISSUER="test"
+GENERATED_INTEROP_TOKEN_M2M_AUDIENCE="test.interop.pagopa.it"
+GENERATED_INTEROP_TOKEN_M2M_DURATION_SECONDS=60
+# TODO: what's this supposed to be?
+TOKEN_AUDITING_TOPIC="event-store.token.audit"
+
+RATE_LIMITER_BURST_PERCENTAGE="0"
+RATE_LIMITER_MAX_REQUESTS="10"
+RATE_LIMITER_RATE_INTERVAL_MILLIS="1000"
+RATE_LIMITER_REDIS_HOST="localhost"
+RATE_LIMITER_REDIS_PORT="6379"
+RATE_LIMITER_TIMEOUT_MILLIS="300"
+
+PRODUCER_KAFKA_CLIENT_ID="authorization-server"
+PRODUCER_KAFKA_BROKERS="localhost:9092"
+PRODUCER_KAFKA_DISABLE_AWS_IAM_AUTH="true"
+
+S3_BUCKET=interop-local-bucket
+S3_CUSTOM_SERVER=true
+S3_SERVER_HOST=http://localhost
+S3_SERVER_PORT=9000
+
+KAFKA_CLIENT_ID="authorization-server"
+KAFKA_GROUP_ID="authorization-server-group"
+KAFKA_BROKERS="localhost:9092"
+KAFKA_DISABLE_AWS_IAM_AUTH="true"
+

packages/authorization-server/Dockerfile

@@ -0,0 +1,50 @@
+FROM node:20.14.0-slim@sha256:5e8ac65a0231d76a388683d07ca36a9769ab019a85d85169fe28e206f7a3208e as build
+
+RUN corepack enable
+
+WORKDIR /app
+COPY package.json /app/
+COPY pnpm-lock.yaml /app/
+COPY pnpm-workspace.yaml /app/
+
+COPY ./packages/authorization-server/package.json /app/packages/authorization-server/package.json
+COPY ./packages/commons/package.json /app/packages/commons/package.json
+COPY ./packages/models/package.json /app/packages/models/package.json
+COPY ./packages/client-assertion-validation/package.json /app/packages/client-assertion-validation/package.json
+COPY ./packages/kafka-iam-auth/package.json /app/packages/kafka-iam-auth/package.json
+COPY ./packages/api-clients/package.json /app/packages/api-clients/package.json
+
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
+
+COPY tsconfig.json /app/
+COPY turbo.json /app/
+COPY ./packages/authorization-server /app/packages/authorization-server
+COPY ./packages/commons /app/packages/commons
+COPY ./packages/models /app/packages/models
+COPY ./packages/client-assertion-validation /app/packages/client-assertion-validation
+COPY ./packages/kafka-iam-auth /app/packages/kafka-iam-auth
+COPY ./packages/api-clients /app/packages/api-clients
+
+RUN pnpm build && \
+  rm -rf /app/node_modules/.modules.yaml && \
+  rm -rf /app/node_modules/.cache && \
+  mkdir /out && \
+  cp -a --parents -t /out \
+  node_modules packages/authorization-server/node_modules \
+  package*.json packages/authorization-server/package*.json \
+  packages/commons/ \
+  packages/models/ \
+  packages/client-assertion-validation/ \
+  packages/kafka-iam-auth/ \
+  packages/api-clients \
+  packages/authorization-server/dist && \
+  find /out -exec touch -h --date=@0 {} \;
+
+FROM node:20.14.0-slim@sha256:5e8ac65a0231d76a388683d07ca36a9769ab019a85d85169fe28e206f7a3208e as final 
+
+COPY --from=build /out /app
+
+WORKDIR /app/packages/authorization-server
+EXPOSE 3300
+
+CMD [ "node", "." ]

packages/authorization-server/aws.config.local

@@ -0,0 +1,12 @@
+[default]
+aws_access_key_id=testawskey
+aws_secret_access_key=testawssecret
+region=eu-central-1
+services=local
+
+[services local]
+dynamodb= 
+  endpoint_url=http://localhost:8085
+
+kms=
+  endpoint_url=http://localhost:4566

packages/authorization-server/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "pagopa-interop-authorization-server",
+  "version": "1.0.0",
+  "description": "PagoPA Interoperability service for authorization",
+  "main": "dist",
+  "type": "module",
+  "scripts": {
+    "test": "vitest",
+    "lint": "eslint . --ext .ts,.tsx",
+    "lint:autofix": "eslint . --ext .ts,.tsx --fix",
+    "format:check": "prettier --check src",
+    "format:write": "prettier --write src",
+    "start": "node --loader ts-node/esm -r 'dotenv-flow/config' --watch ./src/index.ts",
+    "build": "tsc",
+    "check": "tsc --project tsconfig.check.json"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "Apache-2.0",
+  "devDependencies": {
+    "@pagopa/eslint-config": "3.0.0",
+    "@protobuf-ts/runtime": "2.9.4",
+    "@types/node": "20.14.6",
+    "@types/uuid": "9.0.8",
+    "pagopa-interop-commons-test": "workspace:*",
+    "prettier": "2.8.8",
+    "ts-node": "10.9.2",
+    "typescript": "5.4.5",
+    "vitest": "1.6.0",
+    "uuid": "10.0.0",
+    "jose": "5.9.4"
+  },
+  "dependencies": {
+    "@aws-sdk/client-dynamodb": "3.637.0",
+    "@aws-sdk/client-kms": "3.600.0",
+    "@aws-sdk/util-dynamodb": "3.637.0",
+    "@fastify/formbody": "8.0.1",
+    "@zodios/core": "10.9.6",
+    "axios": "1.7.4",
+    "connection-string": "4.4.0",
+    "dotenv-flow": "4.1.0",
+    "fastify": "5.0.0",
+    "kafka-iam-auth": "workspace:*",
+    "openapi-zod-client": "1.18.1",
+    "pagopa-interop-api-clients": "workspace:*",
+    "pagopa-interop-client-assertion-validation": "workspace:*",
+    "pagopa-interop-commons": "workspace:*",
+    "pagopa-interop-models": "workspace:*",
+    "ts-pattern": "5.2.0",
+    "zod": "3.23.8"
+  }
+}

packages/authorization-server/src/app.ts

@@ -0,0 +1,5 @@
+import fastifyServer from "./routers/authorizationRouter.js";
+
+const app = fastifyServer;
+
+export default app;