PIN-6540 Supertest in attribute registry process (#1758)

Co-authored-by: Tommaso Petrucciani <[email protected]>

Author: rGregnanin

packages/attribute-registry-process/package.json

@@ -5,7 +5,8 @@
   "main": "dist",
   "type": "module",
   "scripts": {
-    "test": "vitest",
+    "test:api": "vitest --config vitest.api.config.ts",
+    "test:integration": "vitest --config vitest.integration.config.ts",
     "lint": "eslint . --ext .ts,.tsx",
     "lint:autofix": "eslint . --ext .ts,.tsx --fix",
     "format:check": "prettier --check src",
@@ -24,9 +25,13 @@
     "@protobuf-ts/runtime": "2.9.4",
     "@types/express": "4.17.21",
     "@types/node": "20.14.6",
+    "@types/supertest": "6.0.2",
+    "@types/jsonwebtoken": "^9.0.2",
     "pagopa-interop-commons-test": "workspace:*",
     "prettier": "2.8.8",
+    "supertest": "7.0.0",
     "testcontainers": "10.9.0",
+    "jsonwebtoken": "9.0.2",
     "tsx": "4.19.1",
     "typescript": "5.4.5",
     "vitest": "1.6.0"

packages/attribute-registry-process/src/app.ts

@@ -12,21 +12,34 @@ import { serviceName as modelsServiceName } from "pagopa-interop-models";
 import attributeRouter from "./routers/AttributeRouter.js";
 import healthRouter from "./routers/HealthRouter.js";
 import { config } from "./config/config.js";
+import { AttributeRegistryService } from "./services/attributeRegistryService.js";
 
-const serviceName = modelsServiceName.ATTRIBUTE_REGISTRY_PROCESS;
+// eslint-disable-next-line @typescript-eslint/explicit-function-return-type
+export async function createApp(service?: AttributeRegistryService) {
+  const serviceName = modelsServiceName.ATTRIBUTE_REGISTRY_PROCESS;
 
-const app = zodiosCtx.app();
+  const router =
+    service != null
+      ? attributeRouter(zodiosCtx, service)
+      : attributeRouter(zodiosCtx);
 
-// Disable the "X-Powered-By: Express" HTTP header for security reasons.
-// See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
-app.disable("x-powered-by");
+  const app = zodiosCtx.app();
 
-app.use(healthRouter);
-app.use(contextMiddleware(serviceName));
-app.use(await applicationAuditBeginMiddleware(serviceName, config));
-app.use(await applicationAuditEndMiddleware(serviceName, config));
-app.use(authenticationMiddleware(config));
-app.use(loggerMiddleware(serviceName));
-app.use(attributeRouter(zodiosCtx));
+  // Disable the "X-Powered-By: Express" HTTP header for security reasons.
+  // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
+  app.disable("x-powered-by");
+
+  app.use(healthRouter);
+  app.use(contextMiddleware(serviceName));
+  app.use(await applicationAuditBeginMiddleware(serviceName, config));
+  app.use(await applicationAuditEndMiddleware(serviceName, config));
+  app.use(authenticationMiddleware(config));
+  app.use(loggerMiddleware(serviceName));
+  app.use(router);
+
+  return app;
+}
+
+const app = await createApp();
 
 export default app;

packages/attribute-registry-process/src/routers/AttributeRouter.ts

@@ -19,7 +19,10 @@ import {
 } from "../model/domain/apiConverter.js";
 import { config } from "../config/config.js";
 import { makeApiProblem } from "../model/domain/errors.js";
-import { attributeRegistryServiceBuilder } from "../services/attributeRegistryService.js";
+import {
+  AttributeRegistryService,
+  attributeRegistryServiceBuilder,
+} from "../services/attributeRegistryService.js";
 import {
   createCertifiedAttributesErrorMapper,
   createDeclaredAttributesErrorMapper,
@@ -32,7 +35,7 @@ import {
 
 const readModelRepository = ReadModelRepository.init(config);
 const readModelService = readModelServiceBuilder(readModelRepository);
-const attributeRegistryService = attributeRegistryServiceBuilder(
+const defaultAttributeRegistryService = attributeRegistryServiceBuilder(
   initDB({
     username: config.eventStoreDbUsername,
     password: config.eventStoreDbPassword,
@@ -46,7 +49,8 @@ const attributeRegistryService = attributeRegistryServiceBuilder(
 );
 
 const attributeRouter = (
-  ctx: ZodiosContext
+  ctx: ZodiosContext,
+  attributeRegistryService: AttributeRegistryService = defaultAttributeRegistryService
 ): ZodiosRouter<ZodiosEndpointDefinitions, ExpressContext> => {
   const attributeRouter = ctx.router(attributeRegistryApi.attributeApi.api, {
     validationErrorHandler: zodiosValidationErrorToApiProblem,

packages/attribute-registry-process/test/api/createCertifiedAttribute.test.ts

@@ -0,0 +1,88 @@
+/* eslint-disable @typescript-eslint/explicit-function-return-type */
+import { describe, it, expect, vi } from "vitest";
+import { Attribute, generateId } from "pagopa-interop-models";
+import { generateToken, getMockAttribute } from "pagopa-interop-commons-test";
+import { AuthRole, authRole } from "pagopa-interop-commons";
+import request from "supertest";
+import { attributeRegistryApi } from "pagopa-interop-api-clients";
+import { api, attributeRegistryService } from "../vitest.api.setup.js";
+import { toApiAttribute } from "../../src/model/domain/apiConverter.js";
+import { attributeDuplicateByNameAndCode } from "../../src/model/domain/errors.js";
+
+describe("API /certifiedAttributes authorization test", () => {
+  const mockCertifiedAttributeSeed: attributeRegistryApi.CertifiedAttributeSeed =
+    {
+      name: "Certified Attribute",
+      description: "This is a certified attribute",
+      code: "001",
+    };
+
+  const mockAttribute: Attribute = {
+    ...getMockAttribute(),
+    id: generateId(),
+    kind: "Certified",
+    creationTime: new Date(),
+  };
+
+  const apiAttribute = attributeRegistryApi.Attribute.parse(
+    toApiAttribute(mockAttribute)
+  );
+
+  attributeRegistryService.createCertifiedAttribute = vi
+    .fn()
+    .mockResolvedValue(mockAttribute);
+
+  const makeRequest = async (token: string) =>
+    request(api)
+      .post("/certifiedAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send(mockCertifiedAttributeSeed);
+
+  const authorizedRoles: AuthRole[] = [authRole.ADMIN_ROLE, authRole.M2M_ROLE];
+  it.each(authorizedRoles)(
+    "Should return 200 for user with role %s",
+    async (role) => {
+      const token = generateToken(role);
+      const res = await makeRequest(token);
+      expect(res.status).toBe(200);
+      expect(res.body).toEqual(apiAttribute);
+    }
+  );
+
+  it.each(
+    Object.values(authRole).filter((role) => !authorizedRoles.includes(role))
+  )("Should return 403 for user with role %s", async (role) => {
+    const token = generateToken(role);
+    const res = await makeRequest(token);
+    expect(res.status).toBe(403);
+  });
+
+  it("Should return 409 for conflict", async () => {
+    attributeRegistryService.createCertifiedAttribute = vi
+      .fn()
+      .mockRejectedValue(
+        attributeDuplicateByNameAndCode(
+          mockCertifiedAttributeSeed.name,
+          mockCertifiedAttributeSeed.code
+        )
+      );
+
+    const res = await makeRequest(generateToken(authRole.ADMIN_ROLE));
+
+    expect(res.status).toBe(409);
+  });
+
+  it("Should return 400 if passed an invalid certified attribute seed", async () => {
+    const token = generateToken(authRole.ADMIN_ROLE);
+    const res = await request(api)
+      .post("/certifiedAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send({
+        name: "Certified Attribute",
+        code: "001",
+      });
+    expect(res.status).toBe(400);
+  });
+});

packages/attribute-registry-process/test/api/createDeclaredAttribute.test.ts

@@ -0,0 +1,84 @@
+/* eslint-disable @typescript-eslint/explicit-function-return-type */
+import { describe, it, expect, vi } from "vitest";
+import { Attribute, generateId } from "pagopa-interop-models";
+import { generateToken, getMockAttribute } from "pagopa-interop-commons-test";
+import { AuthRole, authRole } from "pagopa-interop-commons";
+import request from "supertest";
+import { attributeRegistryApi } from "pagopa-interop-api-clients";
+import { api, attributeRegistryService } from "../vitest.api.setup.js";
+import { toApiAttribute } from "../../src/model/domain/apiConverter.js";
+import { attributeDuplicateByName } from "../../src/model/domain/errors.js";
+
+describe("API /declaredAttributes authorization test", () => {
+  const mockDeclaredAttributeSeed: attributeRegistryApi.AttributeSeed = {
+    name: "Declared Attribute",
+    description: "This is a declared attribute",
+  };
+
+  const mockAttribute: Attribute = {
+    ...getMockAttribute(),
+    id: generateId(),
+    kind: "Declared",
+    creationTime: new Date(),
+  };
+
+  const apiAttribute = attributeRegistryApi.Attribute.parse(
+    toApiAttribute(mockAttribute)
+  );
+
+  attributeRegistryService.createDeclaredAttribute = vi
+    .fn()
+    .mockResolvedValue(mockAttribute);
+
+  const makeRequest = async (token: string) =>
+    request(api)
+      .post("/declaredAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send(mockDeclaredAttributeSeed);
+
+  const authorizedRoles: AuthRole[] = [authRole.ADMIN_ROLE, authRole.API_ROLE];
+
+  it.each(authorizedRoles)(
+    "Should return 200 for user with role %s",
+    async (role) => {
+      const token = generateToken(role);
+      const res = await makeRequest(token);
+
+      expect(res.status).toBe(200);
+      expect(res.body).toEqual(apiAttribute);
+    }
+  );
+
+  it.each(
+    Object.values(authRole).filter((role) => !authorizedRoles.includes(role))
+  )("Should return 403 for user with role %s", async (role) => {
+    const token = generateToken(role);
+    const res = await makeRequest(token);
+    expect(res.status).toBe(403);
+  });
+
+  it("Should return 409 for conflict", async () => {
+    attributeRegistryService.createDeclaredAttribute = vi
+      .fn()
+      .mockRejectedValue(
+        attributeDuplicateByName(mockDeclaredAttributeSeed.name)
+      );
+
+    const res = await makeRequest(generateToken(authRole.ADMIN_ROLE));
+
+    expect(res.status).toBe(409);
+  });
+
+  it("Should return 400 if passed an invalid attribute seed", async () => {
+    const token = generateToken(authRole.ADMIN_ROLE);
+    const res = await request(api)
+      .post("/declaredAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send({
+        name: "Declared Attribute",
+      });
+    expect(res.status).toBe(400);
+  });
+});

packages/attribute-registry-process/test/api/createInternalCertifiedAttribute.test.ts

@@ -0,0 +1,87 @@
+/* eslint-disable @typescript-eslint/explicit-function-return-type */
+import { describe, it, expect, vi } from "vitest";
+import { Attribute, generateId } from "pagopa-interop-models";
+import { generateToken, getMockAttribute } from "pagopa-interop-commons-test";
+import { authRole } from "pagopa-interop-commons";
+import request from "supertest";
+import { attributeRegistryApi } from "pagopa-interop-api-clients";
+import { api, attributeRegistryService } from "../vitest.api.setup.js";
+import { toApiAttribute } from "../../src/model/domain/apiConverter.js";
+import { attributeDuplicateByNameAndCode } from "../../src/model/domain/errors.js";
+
+describe("API /internal/certifiedAttributes authorization test", () => {
+  const mockInternalCertifiedAttributeSeed: attributeRegistryApi.InternalCertifiedAttributeSeed =
+    {
+      code: "001",
+      name: "Internal certified attribute",
+      description: "description",
+      origin: "IPA",
+    };
+
+  const mockAttribute: Attribute = {
+    ...getMockAttribute(),
+    id: generateId(),
+    kind: "Certified",
+    creationTime: new Date(),
+  };
+
+  const apiAttribute = attributeRegistryApi.Attribute.parse(
+    toApiAttribute(mockAttribute)
+  );
+
+  attributeRegistryService.internalCreateCertifiedAttribute = vi
+    .fn()
+    .mockResolvedValue(mockAttribute);
+
+  const makeRequest = async (token: string) =>
+    request(api)
+      .post("/internal/certifiedAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send(mockInternalCertifiedAttributeSeed);
+
+  it("Should return 200 for user with role Internal", async () => {
+    const token = generateToken(authRole.INTERNAL_ROLE);
+    const res = await makeRequest(token);
+
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual(apiAttribute);
+  });
+
+  it.each(
+    Object.values(authRole).filter((role) => role !== authRole.INTERNAL_ROLE)
+  )("Should return 403 for user with role %s", async (role) => {
+    const token = generateToken(role);
+    const res = await makeRequest(token);
+    expect(res.status).toBe(403);
+  });
+
+  it("Should return 409 for conflict", async () => {
+    attributeRegistryService.internalCreateCertifiedAttribute = vi
+      .fn()
+      .mockRejectedValue(
+        attributeDuplicateByNameAndCode(
+          mockInternalCertifiedAttributeSeed.name,
+          mockInternalCertifiedAttributeSeed.code
+        )
+      );
+
+    const res = await makeRequest(generateToken(authRole.INTERNAL_ROLE));
+
+    expect(res.status).toBe(409);
+  });
+
+  it("Should return 400 if passed an invalid attribute seed", async () => {
+    const token = generateToken(authRole.INTERNAL_ROLE);
+    const res = await request(api)
+      .post("/internal/certifiedAttributes")
+      .set("Authorization", `Bearer ${token}`)
+      .set("X-Correlation-Id", generateId())
+      .send({
+        code: "001",
+        name: "Internal certified attribute",
+        origin: "IPA",
+      });
+    expect(res.status).toBe(400);
+  });
+});