PIN-6662 Auth Server M2M token generation

packages/anac-certified-attributes-importer/test/processor.test.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/explicit-function-return-type */
 import { afterEach, beforeAll, describe, expect, it, vi, vitest } from "vitest";
 import {
-  InteropToken,
+  InteropInternalToken,
   InteropTokenGenerator,
   ReadModelRepository,
   RefreshableInteropToken,
@@ -40,7 +40,7 @@ describe("ANAC Certified Attributes Importer", () => {
   const readModelClient = {} as ReadModelRepository;
   const readModelQueriesMock = new ReadModelQueries(readModelClient);
 
-  const interopToken: InteropToken = {
+  const interopInternalToken: InteropInternalToken = {
     header: {
       alg: "algorithm",
       use: "use",
@@ -59,8 +59,8 @@ describe("ANAC Certified Attributes Importer", () => {
     },
     serialized: "the-token",
   };
-  const generateInternalTokenMock = (): Promise<InteropToken> =>
-    Promise.resolve(interopToken);
+  const generateInternalTokenMock = (): Promise<InteropInternalToken> =>
+    Promise.resolve(interopInternalToken);
 
   const run = () =>
     importAttributes(

packages/authorization-server/src/services/tokenService.ts

@@ -227,6 +227,7 @@ export function tokenServiceBuilder({
           const token = await tokenGenerator.generateInteropApiToken({
             sub: jwt.payload.sub,
             consumerId: key.consumerId,
+            clientAdminId: key.adminId,
           });
 
           logTokenGenerationInfo({

packages/authorization-server/test/authorizationServer.integration.test.ts

@@ -31,11 +31,13 @@ import {
   TokenGenerationStatesApiClient,
   TokenGenerationStatesConsumerClient,
   unsafeBrandId,
+  UserId,
 } from "pagopa-interop-models";
 import {
   formatDateyyyyMMdd,
   genericLogger,
   secondsToMilliseconds,
+  systemRole,
 } from "pagopa-interop-commons";
 import { authorizationServerApi } from "pagopa-interop-api-clients";
 import {
@@ -767,7 +769,7 @@ describe("authorization server tests", () => {
     expect(parsedAuditSent).toEqual(expectedMessageBody);
   });
 
-  it("should succeed - api key - no audit", async () => {
+  it("should succeed - api key - no audit - M2M role", async () => {
     vi.spyOn(fileManager, "storeBytes");
 
     const clientId = generateId<ClientId>();
@@ -815,8 +817,76 @@ describe("authorization server tests", () => {
     expect(fileListAfter).toHaveLength(0);
     expect(fileManager.storeBytes).not.toHaveBeenCalled();
 
+    expect(response.limitReached).toBe(false);
+    expect(response.token?.payload).toMatchObject({
+      role: systemRole.M2M_ROLE,
+    });
+    expect(response.token?.payload).not.toMatchObject({
+      adminId: expect.any(String),
+    });
+    expect(response.rateLimiterStatus).toEqual({
+      maxRequests: config.rateLimiterMaxRequests,
+      rateInterval: config.rateLimiterRateInterval,
+      remainingRequests: config.rateLimiterMaxRequests - 1,
+    });
+  });
+
+  it("should succeed - api key - no audit - M2M_ADMIN role", async () => {
+    vi.spyOn(fileManager, "storeBytes");
+
+    const clientId = generateId<ClientId>();
+    const clientAdminId = generateId<UserId>();
+
+    const { jws, clientAssertion, publicKeyEncodedPem } =
+      await getMockClientAssertion({
+        standardClaimsOverride: { sub: clientId },
+      });
+
+    const request: authorizationServerApi.AccessTokenRequest = {
+      ...(await getMockAccessTokenRequest()),
+      client_assertion: jws,
+      client_id: clientId,
+    };
+
+    const tokenClientKidK = makeTokenGenerationStatesClientKidPK({
+      clientId,
+      kid: clientAssertion.header.kid!,
+    });
+
+    const tokenClientKidEntry: TokenGenerationStatesApiClient = {
+      ...getMockTokenGenStatesApiClient(tokenClientKidK),
+      clientKind: clientKindTokenGenStates.api,
+      publicKey: publicKeyEncodedPem,
+      adminId: clientAdminId,
+    };
+
+    await writeTokenGenStatesApiClient(tokenClientKidEntry, dynamoDBClient);
+
+    const fileListBefore = await fileManager.listFiles(
+      config.s3Bucket,
+      genericLogger
+    );
+    expect(fileListBefore).toHaveLength(0);
+
+    const response = await tokenService.generateToken(
+      request,
+      generateId(),
+      genericLogger
+    );
+
+    const fileListAfter = await fileManager.listFiles(
+      config.s3Bucket,
+      genericLogger
+    );
+    expect(fileListAfter).toHaveLength(0);
+    expect(fileManager.storeBytes).not.toHaveBeenCalled();
+
     expect(response.limitReached).toBe(false);
     expect(response.token).toBeDefined();
+    expect(response.token?.payload).toMatchObject({
+      role: systemRole.M2M_ADMIN_ROLE,
+      adminId: tokenClientKidEntry.adminId,
+    });
     expect(response.rateLimiterStatus).toEqual({
       maxRequests: config.rateLimiterMaxRequests,
       rateInterval: config.rateLimiterRateInterval,

packages/authorization-server/test/authorizationServer.unit.test.ts

@@ -18,6 +18,7 @@ import {
   PurposeId,
   TokenGenerationStatesApiClient,
   TokenGenerationStatesConsumerClient,
+  UserId,
 } from "pagopa-interop-models";
 import {} from "pagopa-interop-client-assertion-validation";
 import { genericLogger } from "pagopa-interop-commons";
@@ -209,6 +210,31 @@ describe("unit tests", () => {
 
       expect(key).toEqual(tokenClientEntry);
     });
+
+    it("should succeed - clientKid entry - api key - adminId", async () => {
+      const clientId = generateId<ClientId>();
+      const clientAdminId = generateId<UserId>();
+      const kid = "kid";
+
+      const tokenClientKidPK = makeTokenGenerationStatesClientKidPK({
+        clientId,
+        kid,
+      });
+
+      const tokenClientEntry: TokenGenerationStatesApiClient = {
+        ...getMockTokenGenStatesApiClient(tokenClientKidPK),
+        clientKind: clientKindTokenGenStates.api,
+        adminId: clientAdminId,
+      };
+
+      await writeTokenGenStatesApiClient(tokenClientEntry, dynamoDBClient);
+      const key = await retrieveKey(dynamoDBClient, tokenClientKidPK);
+
+      expect(key).toEqual(tokenClientEntry);
+      expect(key).toMatchObject({
+        adminId: clientAdminId,
+      });
+    });
   });
 
   describe("fallbackAudit", () => {

packages/commons-test/src/tokenGenerationReadmodelUtils.ts

@@ -55,6 +55,11 @@ export const writeTokenGenStatesApiClient = async (
       GSIPK_clientId_kid: {
         S: tokenGenStatesEntry.GSIPK_clientId_kid,
       },
+      ...(tokenGenStatesEntry.adminId
+        ? {
+            adminId: { S: tokenGenStatesEntry.adminId },
+          }
+        : {}),
     },
     TableName: "token-generation-states",
   };

packages/commons/src/config/authorizationServerTokenGenerationConfig.ts

@@ -4,6 +4,11 @@ export const AuthorizationServerTokenGenerationConfig = z
   .object({
     GENERATED_INTEROP_TOKEN_KID: z.string(),
     GENERATED_INTEROP_TOKEN_ISSUER: z.string(),
+
+    /* 
+      AUDIENCE and DURATION_SECONDS are used 
+      to generate both M2M and M2M_ADMIN token.
+    */
     GENERATED_INTEROP_TOKEN_M2M_AUDIENCE: z.string(),
     GENERATED_INTEROP_TOKEN_M2M_DURATION_SECONDS: z.string(),
   })

packages/commons/src/interop-token/interopTokenService.ts

@@ -1,26 +1,28 @@
 import crypto from "crypto";
 import { KMSClient, SignCommand, SignCommandInput } from "@aws-sdk/client-kms";
 import {
+  ClientAssertionDigest,
   ClientId,
   generateId,
   PurposeId,
   TenantId,
-  ClientAssertionDigest,
+  UserId,
 } from "pagopa-interop-models";
+import { systemRole } from "../auth/authData.js";
+import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
 import { SessionTokenGenerationConfig } from "../config/sessionTokenGenerationConfig.js";
 import { TokenGenerationConfig } from "../config/tokenGenerationConfig.js";
-import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
 import { dateToSeconds } from "../utils/date.js";
 import {
   CustomClaims,
-  GENERATED_INTEROP_TOKEN_M2M_ROLE,
   InteropApiToken,
   InteropConsumerToken,
+  InteropInternalToken,
+  InteropJwtApiCommonPayload,
   InteropJwtApiPayload,
   InteropJwtConsumerPayload,
   InteropJwtHeader,
-  InteropJwtPayload,
-  InteropToken,
+  InteropJwtInternalPayload,
   ORGANIZATION_ID_CLAIM,
   ROLE_CLAIM,
   SessionClaims,
@@ -46,7 +48,7 @@ export class InteropTokenGenerator {
     this.kmsClient = kmsClient || new KMSClient();
   }
 
-  public async generateInternalToken(): Promise<InteropToken> {
+  public async generateInternalToken(): Promise<InteropInternalToken> {
     const currentTimestamp = dateToSeconds(new Date());
 
     if (
@@ -66,7 +68,7 @@ export class InteropTokenGenerator {
       kid: this.config.kid,
     };
 
-    const payload: InteropJwtPayload = {
+    const payload: InteropJwtInternalPayload = {
       jti: crypto.randomUUID(),
       iss: this.config.issuer,
       aud: this.config.audience,
@@ -140,9 +142,11 @@ export class InteropTokenGenerator {
   public async generateInteropApiToken({
     sub,
     consumerId,
+    clientAdminId,
   }: {
     sub: ClientId;
     consumerId: TenantId;
+    clientAdminId: UserId | undefined;
   }): Promise<InteropApiToken> {
     if (
       !this.config.generatedInteropTokenKid ||
@@ -164,7 +168,7 @@ export class InteropTokenGenerator {
       kid: this.config.generatedInteropTokenKid,
     };
 
-    const payload: InteropJwtApiPayload = {
+    const userDataPayload: InteropJwtApiCommonPayload = {
       jti: generateId(),
       iss: this.config.generatedInteropTokenIssuer,
       aud: this.toJwtAudience(this.config.generatedInteropTokenM2MAudience),
@@ -175,7 +179,20 @@ export class InteropTokenGenerator {
       exp:
         currentTimestamp + this.config.generatedInteropTokenM2MDurationSeconds,
       [ORGANIZATION_ID_CLAIM]: consumerId,
-      [ROLE_CLAIM]: GENERATED_INTEROP_TOKEN_M2M_ROLE,
+    };
+
+    const systemRolePayload = clientAdminId
+      ? {
+          [ROLE_CLAIM]: systemRole.M2M_ADMIN_ROLE,
+          adminId: clientAdminId,
+        }
+      : {
+          [ROLE_CLAIM]: systemRole.M2M_ROLE,
+        };
+
+    const payload: InteropJwtApiPayload = {
+      ...userDataPayload,
+      ...systemRolePayload,
     };
 
     const serializedToken = await this.createAndSignToken({
@@ -256,7 +273,7 @@ export class InteropTokenGenerator {
   }: {
     header: InteropJwtHeader;
     payload:
-      | InteropJwtPayload
+      | InteropJwtInternalPayload
       | SessionJwtPayload
       | InteropJwtConsumerPayload
       | InteropJwtApiPayload;