feat(auth): tenanted grants (#3187)

* feat(auth): tenanted grants * fix: tests * feat: update bruno collection * fix: tests * feat: update bruno requests, fix integration tests * feat: handle tenants with no idp info * feat: backfill tenants on grants, trim down queries * feat: use tenantId in grant revocation * fix: service function signatures
interledger · Feb 11, 2025 · f8a61c4 · f8a61c4
1 parent 4a4a48d
commit f8a61c4
Show file tree

Hide file tree

Showing 41 changed files with 843 additions and 272 deletions.
diff --git a/...o/collections/Rafiki/Examples/Open Payments Without Quote/Get receiver wallet address.bru b/...o/collections/Rafiki/Examples/Open Payments Without Quote/Get receiver wallet address.bru
@@ -37,7 +37,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path );
   } else {
       bru.setEnvVar("receiverOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments Without Quote/Get sender wallet address.bru b/bruno/collections/Rafiki/Examples/Open Payments Without Quote/Get sender wallet address.bru
@@ -28,7 +28,7 @@ script:post-response {
   }
 
   const body = res.getBody()
-
+  
   bru.setEnvVar("senderAssetCode", body?.assetCode)
   bru.setEnvVar("senderAssetScale", body?.assetScale)
 
@@ -38,7 +38,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path );
   } else {
       bru.setEnvVar("senderOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/...ollections/Rafiki/Examples/Open Payments Without Quote/Grant Request Incoming Payment.bru b/...ollections/Rafiki/Examples/Open Payments Without Quote/Grant Request Incoming Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{receiverOpenPaymentsAuthHost}}/
+  url: {{receiverOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/...ollections/Rafiki/Examples/Open Payments Without Quote/Grant Request Outgoing Payment.bru b/...ollections/Rafiki/Examples/Open Payments Without Quote/Grant Request Outgoing Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{senderOpenPaymentsAuthHost}}/
+  url: {{senderOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments/Get receiver wallet address.bru b/bruno/collections/Rafiki/Examples/Open Payments/Get receiver wallet address.bru
@@ -22,11 +22,11 @@ script:pre-request {
 
 script:post-response {
   const url = require('url')
-
+  
   if (res.getStatus() !== 200) {
     return
   }
-
+  
   const body = res.getBody()
   bru.setEnvVar("receiverAssetCode", body?.assetCode)
   bru.setEnvVar("receiverAssetScale", body?.assetScale)
@@ -37,7 +37,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path);
   } else {
       bru.setEnvVar("receiverOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments/Get sender wallet address.bru b/bruno/collections/Rafiki/Examples/Open Payments/Get sender wallet address.bru
@@ -37,7 +37,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path );
   } else {
       bru.setEnvVar("senderOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Incoming Payment.bru b/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Incoming Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{receiverOpenPaymentsAuthHost}}/
+  url: {{receiverOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Outgoing Payment.bru b/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Outgoing Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{senderOpenPaymentsAuthHost}}/
+  url: {{senderOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Quote.bru b/bruno/collections/Rafiki/Examples/Open Payments/Grant Request Quote.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{senderOpenPaymentsAuthHost}}/
+  url: {{senderOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Examples/Web Monetization/Get receiver wallet address.bru b/bruno/collections/Rafiki/Examples/Web Monetization/Get receiver wallet address.bru
@@ -28,7 +28,7 @@ script:post-response {
   }
 
   const body = res.getBody()
-
+  
   bru.setEnvVar("receiverAssetCode", body?.assetCode)
   bru.setEnvVar("receiverAssetScale", body?.assetScale)
 
@@ -38,7 +38,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("receiverOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path );
   } else {
       bru.setEnvVar("receiverOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/bruno/collections/Rafiki/Examples/Web Monetization/Get sender wallet address.bru b/bruno/collections/Rafiki/Examples/Web Monetization/Get sender wallet address.bru
@@ -37,7 +37,7 @@ script:post-response {
       authUrl.hostname.includes('happy-life-bank')
   ){
       const port = authUrl.hostname.includes('cloud-nine-wallet')? authUrl.port: Number(authUrl.port) + 1000
-      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port );
+      bru.setEnvVar("senderOpenPaymentsAuthHost", authUrl.protocol + '//localhost:' + port + authUrl.path );
   } else {
       bru.setEnvVar("senderOpenPaymentsAuthHost", body?.authServer);
   }

diff --git a/bruno/collections/Rafiki/Examples/Web Monetization/Grant Request Incoming Payment.bru b/bruno/collections/Rafiki/Examples/Web Monetization/Grant Request Incoming Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{receiverOpenPaymentsAuthHost}}/
+  url: {{receiverOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Examples/Web Monetization/Grant Request Outgoing Payment.bru b/bruno/collections/Rafiki/Examples/Web Monetization/Grant Request Outgoing Payment.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{senderOpenPaymentsAuthHost}}/
+  url: {{senderOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/Open Payments Auth APIs/Grants/Grant Request.bru b/bruno/collections/Rafiki/Open Payments Auth APIs/Grants/Grant Request.bru
@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: {{receiverOpenPaymentsAuthHost}}/
+  url: {{receiverOpenPaymentsAuthHost}}
   body: json
   auth: none
 }

diff --git a/bruno/collections/Rafiki/environments/Local Playground.bru b/bruno/collections/Rafiki/environments/Local Playground.bru
@@ -31,4 +31,5 @@ vars {
   assetCode: USD
   assetScale: 2
   senderTenantId: 438fa74a-fa7d-4317-9ced-dde32ece1787
+  RafikiGraphqlHostTenantId: 438fa74a-fa7d-4317-9ced-dde32ece1787
 }
diff --git a/packages/auth/migrations/20241206232423_add_tenant_to_grant.js b/packages/auth/migrations/20241206232423_add_tenant_to_grant.js
@@ -0,0 +1,30 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return knex.schema
+    .alterTable('grants', function (table) {
+      table.uuid('tenantId').references('tenants.id').index()
+    })
+    .then(() => {
+      return knex.raw(
+        `UPDATE "grants" SET "tenantId" = (SELECT id from "tenants" LIMIT 1)`
+      )
+    })
+    .then(() => {
+      return knex.schema.alterTable('grants', (table) => {
+        table.uuid('tenantId').notNullable().alter()
+      })
+    })
+}
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return knex.schema.alterTable('grants', function (table) {
+    table.dropColumn('tenantId')
+  })
+}
diff --git a/packages/auth/src/access/service.test.ts b/packages/auth/src/access/service.test.ts
@@ -1,19 +1,19 @@
-import { faker } from '@faker-js/faker'
 import nock from 'nock'
 import { Knex } from 'knex'
-import { v4 } from 'uuid'
 import { createTestApp, TestContainer } from '../tests/app'
 import { truncateTables } from '../tests/tableManager'
 import { Config } from '../config/app'
 import { IocContract } from '@adonisjs/fold'
 import { initIocContainer } from '../'
 import { AppServices } from '../app'
 import { AccessService } from './service'
-import { Grant, GrantState, StartMethod, FinishMethod } from '../grant/model'
+import { Grant } from '../grant/model'
 import { IncomingPaymentRequest, OutgoingPaymentRequest } from './types'
-import { generateNonce, generateToken } from '../shared/utils'
+import { generateBaseGrant } from '../tests/grant'
 import { AccessType, AccessAction } from '@interledger/open-payments'
 import { Access } from './model'
+import { Tenant } from '../tenant/model'
+import { generateTenant } from '../tests/tenant'
 
 describe('Access Service', (): void => {
   let deps: IocContract<AppServices>
@@ -22,19 +22,11 @@ describe('Access Service', (): void => {
   let trx: Knex.Transaction
   let grant: Grant
 
-  const generateBaseGrant = () => ({
-    state: GrantState.Pending,
-    startMethod: [StartMethod.Redirect],
-    continueToken: generateToken(),
-    continueId: v4(),
-    finishMethod: FinishMethod.Redirect,
-    finishUri: 'https://example.com/finish',
-    clientNonce: generateNonce(),
-    client: faker.internet.url({ appendSlash: false })
-  })
-
   beforeEach(async (): Promise<void> => {
-    grant = await Grant.query(trx).insertAndFetch(generateBaseGrant())
+    const tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
+    grant = await Grant.query(trx).insertAndFetch(
+      generateBaseGrant({ tenantId: tenant.id })
+    )
   })
 
   beforeAll(async (): Promise<void> => {

diff --git a/packages/auth/src/access/utils.test.ts b/packages/auth/src/access/utils.test.ts
@@ -17,6 +17,8 @@ import { createTestApp, TestContainer } from '../tests/app'
 import { truncateTables } from '../tests/tableManager'
 import { generateToken, generateNonce } from '../shared/utils'
 import { compareRequestAndGrantAccessItems } from './utils'
+import { Tenant } from '../tenant/model'
+import { generateTenant } from '../tests/tenant'
 
 describe('Access utilities', (): void => {
   let deps: IocContract<AppServices>
@@ -25,6 +27,7 @@ describe('Access utilities', (): void => {
   let identifier: string
   let grant: Grant
   let grantAccessItem: Access
+  let tenant: Tenant
 
   const receiver: string =
     'https://wallet.com/alice/incoming-payments/12341234-1234-1234-1234-123412341234'
@@ -36,6 +39,7 @@ describe('Access utilities', (): void => {
 
   beforeEach(async (): Promise<void> => {
     identifier = `https://example.com/${v4()}`
+    tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
     grant = await Grant.query(trx).insertAndFetch({
       state: GrantState.Processing,
       startMethod: [StartMethod.Redirect],
@@ -44,7 +48,8 @@ describe('Access utilities', (): void => {
       finishMethod: FinishMethod.Redirect,
       finishUri: 'https://example.com/finish',
       clientNonce: generateNonce(),
-      client: faker.internet.url({ appendSlash: false })
+      client: faker.internet.url({ appendSlash: false }),
+      tenantId: tenant.id
     })
 
     grantAccessItem = await Access.query(trx).insertAndFetch({
@@ -241,7 +246,8 @@ describe('Access utilities', (): void => {
       finishMethod: FinishMethod.Redirect,
       finishUri: 'https://example.com/finish',
       clientNonce: generateNonce(),
-      client: faker.internet.url({ appendSlash: false })
+      client: faker.internet.url({ appendSlash: false }),
+      tenantId: tenant.id
     })
 
     const grantAccessItem = await Access.query(trx).insertAndFetch({

diff --git a/packages/auth/src/accessToken/routes.test.ts b/packages/auth/src/accessToken/routes.test.ts
@@ -24,6 +24,8 @@ import {
 import { GrantService } from '../grant/service'
 import { AccessTokenService } from './service'
 import { GNAPErrorCode } from '../shared/gnapErrors'
+import { generateTenant } from '../tests/tenant'
+import { Tenant } from '../tenant/model'
 
 describe('Access Token Routes', (): void => {
   let deps: IocContract<AppServices>
@@ -96,7 +98,11 @@ describe('Access Token Routes', (): void => {
     const method = 'POST'
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
+      const tenant = await Tenant.query().insertAndFetch(generateTenant())
+      grant = await Grant.query(trx).insertAndFetch({
+        ...BASE_GRANT,
+        tenantId: tenant.id
+      })
       access = await Access.query(trx).insertAndFetch({
         grantId: grant.id,
         ...BASE_ACCESS
@@ -367,7 +373,11 @@ describe('Access Token Routes', (): void => {
     let token: AccessToken
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
+      const tenant = await Tenant.query().insertAndFetch(generateTenant())
+      grant = await Grant.query(trx).insertAndFetch({
+        ...BASE_GRANT,
+        tenantId: tenant.id
+      })
       token = await AccessToken.query(trx).insertAndFetch({
         grantId: grant.id,
         ...BASE_TOKEN
@@ -406,7 +416,11 @@ describe('Access Token Routes', (): void => {
     let token: AccessToken
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
+      const tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
+      grant = await Grant.query(trx).insertAndFetch({
+        ...BASE_GRANT,
+        tenantId: tenant.id
+      })
       access = await Access.query(trx).insertAndFetch({
         grantId: grant.id,
         ...BASE_ACCESS

diff --git a/packages/auth/src/accessToken/service.test.ts b/packages/auth/src/accessToken/service.test.ts
@@ -20,6 +20,8 @@ import {
   AccessItem
 } from '@interledger/open-payments'
 import { generateBaseGrant } from '../tests/grant'
+import { Tenant } from '../tenant/model'
+import { generateTenant } from '../tests/tenant'
 
 describe('Access Token Service', (): void => {
   let deps: IocContract<AppServices>
@@ -63,8 +65,9 @@ describe('Access Token Service', (): void => {
 
   let grant: Grant
   beforeEach(async (): Promise<void> => {
+    const tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
     grant = await Grant.query(trx).insertAndFetch(
-      generateBaseGrant({ state: GrantState.Approved })
+      generateBaseGrant({ state: GrantState.Approved, tenantId: tenant.id })
     )
     grant.access = [
       await Access.query(trx).insertAndFetch({
@@ -186,8 +189,9 @@ describe('Access Token Service', (): void => {
     })
 
     test('Introspection only returns requested access', async (): Promise<void> => {
+      const tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
       const grantWithTwoAccesses = await Grant.query(trx).insertAndFetch(
-        generateBaseGrant({ state: GrantState.Approved })
+        generateBaseGrant({ state: GrantState.Approved, tenantId: tenant.id })
       )
       grantWithTwoAccesses.access = [
         await Access.query(trx).insertAndFetch({
@@ -247,11 +251,14 @@ describe('Access Token Service', (): void => {
   })
 
   describe('Revoke', (): void => {
+    let tenant: Tenant
     let grant: Grant
     let token: AccessToken
     beforeEach(async (): Promise<void> => {
+      tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
       grant = await Grant.query(trx).insertAndFetch(
         generateBaseGrant({
+          tenantId: tenant.id,
           state: GrantState.Finalized,
           finalizationReason: GrantFinalization.Issued
         })
@@ -352,8 +359,10 @@ describe('Access Token Service', (): void => {
     let token: AccessToken
     let originalTokenValue: string
     beforeEach(async (): Promise<void> => {
+      const tenant = await Tenant.query(trx).insertAndFetch(generateTenant())
       grant = await Grant.query(trx).insertAndFetch(
         generateBaseGrant({
+          tenantId: tenant.id,
           state: GrantState.Finalized,
           finalizationReason: GrantFinalization.Issued
         })