feat: add Auth (#95)

* feat: add Auth

* refactor: assign privileges to endpoints

* refactor: helper function refactorization

* refactor: auth toggle variable name

---------

Co-authored-by: Len Bekker <[email protected]>
Co-authored-by: cshezi <[email protected]>

Author: 3 people

.env.template

@@ -26,3 +26,6 @@ VALKEY_IS_CLUSTER=false
 CACHE_TTL=1000
 
 ACTIVE_CONDITIONS_ONLY=false
+
+AUTHENTICATED=false
+CERT_PATH_PUBLIC=

.gitignore

@@ -131,3 +131,6 @@ dist
 .pnp.*
 
 build
+
+#keys
+*.pem

Dockerfile

@@ -67,6 +67,9 @@ ENV VALKEY_AUTH=
 ENV VALKEY_SERVERS=
 ENV VALKEY_IS_CLUSTER=
 
+ENV AUTHENTICATED=false
+ENV CERT_PATH_PUBLIC=
+
 ENV CACHE_TTL=1000
 ENV ACTIVE_CONDITIONS_ONLY=false
 

package-lock.json

@@ -35,6 +35,7 @@
     "@fastify/response-validation": "^2.6.0",
     "@fastify/swagger": "^8.8.0",
     "@fastify/swagger-ui": "^3.0.0",
+    "@tazama-lf/auth-lib": "^0.0.9",
     "@tazama-lf/frms-coe-lib": "^4.2.0-rc.0",
     "ajv": "^8.16.0",
     "dotenv": "^16.0.3",

package.json

@@ -0,0 +1,27 @@
+import { validateTokenAndClaims } from '@tazama-lf/auth-lib';
+import { type FastifyReply, type FastifyRequest } from 'fastify';
+import { loggerService } from '..';
+
+export const tokenHandler = (claim: string) => {
+  return async (request: FastifyRequest, reply: FastifyReply): Promise<void> => {
+    const logContext = 'tokenHandler()';
+    const authHeader = request.headers.authorization;
+    if (!authHeader?.startsWith('Bearer ') || !claim) {
+      reply.code(401).send({ error: 'Unauthorized' });
+      return;
+    }
+
+    try {
+      const token = authHeader.split(' ')[1];
+      const validated = validateTokenAndClaims(token, [claim]);
+      if (!validated[claim]) {
+        reply.code(401).send({ error: 'Unauthorized' });
+      }
+      loggerService.log('Authenticated', logContext);
+    } catch (error) {
+      const err = error as Error;
+      loggerService.error(`${err.name}: ${err.message}\n${err.stack}`, logContext);
+      reply.code(401).send({ error: 'Unauthorized' });
+    }
+  };
+};

src/auth/authHandler.ts

@@ -22,13 +22,15 @@ export interface IConfig {
   };
   db: Required<AppDatabaseServices>;
   cacheTTL: number;
+  authentication: boolean;
 }
 
 export const configuration: IConfig = {
   cacheTTL: parseInt(process.env.CACHE_TTL!, 10) || 1000,
   maxCPU: parseInt(process.env.MAX_CPU!, 10) || 1,
   env: process.env.NODE_ENV!,
   activeConditionsOnly: process.env.ACTIVE_CONDITIONS_ONLY === 'true',
+  authentication: process.env.AUTHENTICATED === 'true',
   service: {
     port: parseInt(process.env.PORT!, 10) || 3000,
     host: process.env.HOST! || '127.0.0.1',

src/config.ts

@@ -11,25 +11,61 @@ import {
   updateAccountConditionExpiryDateHandler,
   updateEntityConditionExpiryDateHandler,
 } from './app.controller';
-import { SetOptionsBody, SetOptionsParams, SetOptionsBodyAndParams } from './utils/schema-utils';
+import { SetOptionsBodyAndParams } from './utils/schema-utils';
+
+const routePrivilege = {
+  getAccount: 'GET_V1_EVENT_FLOW_CONTROL_ACCOUNT',
+  getEntity: 'GET_V1_EVENT_FLOW_CONTROL_ENTITY',
+  putAccount: 'PUT_V1_EVENT_FLOW_CONTROL_ACCOUNT',
+  putEntity: 'PUT_V1_EVENT_FLOW_CONTROL_ENTITY',
+  postAccount: 'POST_V1_EVENT_FLOW_CONTROL_ACCOUNT',
+  postEntity: 'POST_V1_EVENT_FLOW_CONTROL_ENTITY',
+  putCache: 'PUT_V1_EVENT_FLOW_CONTROL_CACHE',
+  getReport: 'GET_V1_GETREPORTBYMSGID',
+};
 
 async function Routes(fastify: FastifyInstance): Promise<void> {
   fastify.get('/', handleHealthCheck);
   fastify.get('/health', handleHealthCheck);
-  fastify.get('/v1/admin/reports/getreportbymsgid', SetOptionsParams(reportRequestHandler, 'messageIDSchema'));
-  fastify.get('/v1/admin/event-flow-control/entity', SetOptionsParams(getConditionHandler, 'queryEntityConditionSchema'));
-  fastify.get('/v1/admin/event-flow-control/account', SetOptionsParams(getAccountConditionsHandler, 'queryAccountConditionSchema'));
-  fastify.post('/v1/admin/event-flow-control/entity', SetOptionsBody(postConditionHandlerEntity, 'entityConditionSchema'));
-  fastify.post('/v1/admin/event-flow-control/account', SetOptionsBody(postConditionHandlerAccount, 'accountConditionSchema'));
+  fastify.get(
+    '/v1/admin/reports/getreportbymsgid',
+    SetOptionsBodyAndParams(reportRequestHandler, routePrivilege.getReport, undefined, 'messageIDSchema'),
+  );
+  fastify.get(
+    '/v1/admin/event-flow-control/entity',
+    SetOptionsBodyAndParams(getConditionHandler, routePrivilege.getEntity, undefined, 'queryEntityConditionSchema'),
+  );
+  fastify.get(
+    '/v1/admin/event-flow-control/account',
+    SetOptionsBodyAndParams(getAccountConditionsHandler, routePrivilege.getAccount, undefined, 'queryAccountConditionSchema'),
+  );
+  fastify.post(
+    '/v1/admin/event-flow-control/entity',
+    SetOptionsBodyAndParams(postConditionHandlerEntity, routePrivilege.postEntity, 'entityConditionSchema'),
+  );
+  fastify.post(
+    '/v1/admin/event-flow-control/account',
+    SetOptionsBodyAndParams(postConditionHandlerAccount, routePrivilege.postAccount, 'accountConditionSchema'),
+  );
   fastify.put(
     '/v1/admin/event-flow-control/entity',
-    SetOptionsBodyAndParams(updateEntityConditionExpiryDateHandler, 'expireDateTimeSchema', 'expireEntityConditionSchema'),
+    SetOptionsBodyAndParams(
+      updateEntityConditionExpiryDateHandler,
+      routePrivilege.putEntity,
+      'expireDateTimeSchema',
+      'expireEntityConditionSchema',
+    ),
   );
   fastify.put(
     '/v1/admin/event-flow-control/account',
-    SetOptionsBodyAndParams(updateAccountConditionExpiryDateHandler, 'expireDateTimeSchema', 'expireAccountConditionSchema'),
+    SetOptionsBodyAndParams(
+      updateAccountConditionExpiryDateHandler,
+      routePrivilege.putAccount,
+      'expireDateTimeSchema',
+      'expireAccountConditionSchema',
+    ),
   );
-  fastify.put('/v1/admin/event-flow-control/cache', putRefreshCache);
+  fastify.put('/v1/admin/event-flow-control/cache', SetOptionsBodyAndParams(putRefreshCache, routePrivilege.putCache));
 }
 
 export default Routes;

src/router.ts

@@ -1,39 +1,26 @@
 // SPDX-License-Identifier: Apache-2.0
-import { type RouteHandlerMethod } from 'fastify';
+import { type FastifyReply, type FastifyRequest, type RouteHandlerMethod } from 'fastify';
 import { type FastifySchema } from 'fastify/types/schema';
+import { loggerService } from '..';
+import { configuration } from '../config';
+import { tokenHandler } from '../auth/authHandler';
 
-export const SetOptionsBody = (
-  handler: RouteHandlerMethod,
-  bodySchemaName: string,
-): { handler: RouteHandlerMethod; schema: FastifySchema } => {
-  const schema: FastifySchema = { body: { $ref: `${bodySchemaName}#` } };
-
-  return {
-    handler,
-    schema,
-  };
-};
-
-export const SetOptionsParams = (
-  handler: RouteHandlerMethod,
-  paramSchemaName: string,
-): { handler: RouteHandlerMethod; schema: FastifySchema } => {
-  const schema: FastifySchema = { querystring: { $ref: `${paramSchemaName}#` } };
-
-  return {
-    handler,
-    schema,
-  };
-};
+type preHandler = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 
 export const SetOptionsBodyAndParams = (
   handler: RouteHandlerMethod,
-  bodySchemaName: string,
-  paramSchemaName: string,
-): { handler: RouteHandlerMethod; schema: FastifySchema } => {
-  const schema: FastifySchema = { querystring: { $ref: `${paramSchemaName}#` }, body: { $ref: `${bodySchemaName}#` } };
+  claim: string,
+  bodySchemaName?: string,
+  paramSchemaName?: string,
+): { preHandler?: preHandler; handler: RouteHandlerMethod; schema: FastifySchema } => {
+  loggerService.debug(`Authentication is ${configuration.authentication ? 'ENABLED' : 'DISABLED'} for ${handler.name}`);
+  const preHandler = configuration.authentication ? tokenHandler(claim) : undefined;
+  const querystring = paramSchemaName ? { querystring: { $ref: `${paramSchemaName}#` } } : undefined;
+  const body = bodySchemaName ? { body: { $ref: `${bodySchemaName}#` } } : undefined;
+  const schema: FastifySchema = { ...querystring, ...body };
 
   return {
+    preHandler,
     handler,
     schema,
   };