interledger · njlie · Sep 16, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/localenv/cloud-nine-wallet/docker-compose.yml b/localenv/cloud-nine-wallet/docker-compose.yml
@@ -25,6 +25,7 @@ services:
       IDP_SECRET: 2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
       DISPLAY_NAME: Cloud Nine Wallet
       DISPLAY_ICON: wallet-icon.svg
+      OPERATOR_API_SECRET: tXhxCNRWuVOJs5W/CUgjsc+vBnKj0CVdqSb87EXN64E=
     volumes:
       - ../cloud-nine-wallet/seed.yml:/workspace/seed.yml
       - ../cloud-nine-wallet/private-key.pem:/workspace/private-key.pem
@@ -79,6 +80,7 @@ services:
       AUTH_ADMIN_API_SECRET: rPoZpe9tVyBNCigm05QDco7WLcYa0xMao7lO5KG1XG4=
       OPERATOR_IDP_CONSENT_URL: http://localhost:3030/mock-idp/
       OPERATOR_IDP_SECRET: 2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
+      OPERATOR_API_SECRET: tXhxCNRWuVOJs5W/CUgjsc+vBnKj0CVdqSb87EXN64E=
     depends_on:
       - shared-database
       - shared-redis

diff --git a/localenv/happy-life-bank/docker-compose.yml b/localenv/happy-life-bank/docker-compose.yml
@@ -21,6 +21,7 @@ services:
       IDP_SECRET: 2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
       DISPLAY_NAME: Happy Life Bank
       DISPLAY_ICON: bank-icon.svg
+      OPERATOR_API_SECRET: tXhxCNRWuVOJs5W/CUgjsc+vBnKj0CVdqSb87EXN64E=
     volumes:
       - ../happy-life-bank/seed.yml:/workspace/seed.yml
       - ../happy-life-bank/private-key.pem:/workspace/private-key.pem
@@ -71,6 +72,7 @@ services:
       AUTH_ADMIN_API_SECRET: rPoZpe9tVyBNCigm05QDco7WLcYa0xMao7lO5KG1XG4=
       OPERATOR_IDP_CONSENT_URL: http://localhost:3031/mock-idp/
       OPERATOR_IDP_SECRET: 2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
+      OPERATOR_API_SECRET: tXhxCNRWuVOJs5W/CUgjsc+vBnKj0CVdqSb87EXN64E=
     depends_on:
       - cloud-nine-backend
   happy-life-auth:

diff --git a/localenv/mock-account-servicing-entity/app/lib/parse_config.server.ts b/localenv/mock-account-servicing-entity/app/lib/parse_config.server.ts
@@ -18,5 +18,6 @@ export const CONFIG: Config = {
   testnetAutoPeerUrl: process.env.TESTNET_AUTOPEER_URL ?? '',
   authServerDomain: process.env.AUTH_SERVER_DOMAIN || 'http://localhost:3006',
   graphqlUrl: process.env.GRAPHQL_URL ?? '',
-  idpSecret: process.env.IDP_SECRET
+  idpSecret: process.env.IDP_SECRET,
+  operatorApiSecret: process.env.OPERATOR_API_SECRET ?? ''
 }
diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
@@ -117,6 +117,18 @@ export function initIocContainer(
     }
   )
 
+  container.singleton(
+    'tenantService',
+    async (deps: IocContract<AppServices>) => {
+      const [logger, knex] = await Promise.all([
+        deps.use('logger'),
+        deps.use('knex')
+      ])
+
+      return createTenantService({ logger, knex })
+    }
+  )
+
   container.singleton(
     'accessService',
     async (deps: IocContract<AppServices>) => {

diff --git a/packages/backend/jest.config.js b/packages/backend/jest.config.js
@@ -24,6 +24,7 @@ process.env.AUTH_ADMIN_URL = 'http://127.0.0.1:3003/graphql'
 process.env.AUTH_ADMIN_API_SECRET =
   'rPoZpe9tVyBNCigm05QDco7WLcYa0xMao7lO5KG1XG4='
 process.env.KRATOS_PUBLIC_URL = 'http://127.0.0.1:4433/graphql'
+process.env.OPERATOR_API_SECRET = 'tXhxCNRWuVOJs5W/CUgjsc+vBnKj0CVdqSb87EXN64E='
 
 module.exports = {
   ...baseConfig,

diff --git a/packages/backend/src/app.ts b/packages/backend/src/app.ts
@@ -86,7 +86,8 @@ import { TelemetryService } from './telemetry/service'
 import { ApolloArmor } from '@escape.tech/graphql-armor'
 import { openPaymentsServerErrorMiddleware } from './open_payments/route-errors'
 import {
-  // getTenantIdFromRequestHeaders,
+  getTenantIdFromOperatorSecret,
+  getTenantIdFromRequestHeaders,
   verifyApiSignature
 } from './shared/utils'
 import { WalletAddress } from './open_payments/wallet_address/model'
@@ -427,11 +428,21 @@ export class App {
     }
 
     // Determine Kratos Identity
-    // TODO: Comment out for now until seed script has a good way to acquire a kratos session
-    // koa.use(async (ctx: TenantedAppContext, next: Koa.Next): Promise<void> => {
-    //   await getTenantIdFromRequestHeaders(ctx, this.config)
-    //   return next()
-    // })
+    // TODO: We need a better solution for non-session-based authentication (i.e. requests not using a Kratos session)
+    koa.use(async (ctx: TenantedAppContext, next: Koa.Next): Promise<void> => {
+      const { headers } = ctx.request
+      this.logger.info(
+        { headers, operatorApiSecret: this.config.operatorApiSecret },
+        'checking for secret'
+      )
+      if (headers['x-operator-secret'] === this.config.operatorApiSecret) {
+        await getTenantIdFromOperatorSecret(ctx, this.config)
+        return next()
+      } else {
+        await getTenantIdFromRequestHeaders(ctx, this.config)
+        return next()
+      }
+    })
 
     koa.use(
       koaMiddleware(this.apolloServer, {

diff --git a/packages/backend/src/asset/service.test.ts b/packages/backend/src/asset/service.test.ts
@@ -20,6 +20,8 @@ import { WalletAddressService } from '../open_payments/wallet_address/service'
 import { isWalletAddressError } from '../open_payments/wallet_address/errors'
 import { PeerService } from '../payment-method/ilp/peer/service'
 import { isPeerError } from '../payment-method/ilp/peer/errors'
+import { createTenant } from '../tests/tenant'
+import { EndpointType } from '../tenant/endpoints/model'
 
 describe('Asset Service', (): void => {
   let deps: IocContract<AppServices>
@@ -271,9 +273,29 @@ describe('Asset Service', (): void => {
       assert.ok(!isAssetError(newAsset))
       const newAssetId = newAsset.id
 
+      const nock = (global as unknown as { nock: typeof import('nock') }).nock
+      const config = await deps.use('config')
+      const tenantEmail = faker.internet.email()
+      nock(config.kratosAdminUrl)
+        .get('/identities')
+        .query({ credentials_identifier: tenantEmail })
+        .reply(200, [{ id: uuid(), metadata_public: {} }])
+        .persist()
+      const tenantId = (
+        await createTenant(deps, {
+          email: tenantEmail,
+          idpSecret: 'testsecret',
+          idpConsentEndpoint: faker.internet.url(),
+          endpoints: [
+            { type: EndpointType.WebhookBaseUrl, value: faker.internet.url() }
+          ]
+        })
+      ).id
+
       // make sure there is at least 1 wallet address using asset
       const walletAddress = walletAddressService.create({
         url: 'https://alice.me/.well-known/pay',
+        tenantId,
         assetId: newAssetId
       })
       assert.ok(!isWalletAddressError(walletAddress))

diff --git a/packages/backend/src/config/app.ts b/packages/backend/src/config/app.ts
@@ -195,7 +195,10 @@ export const Config = {
   kratosAdminUrl: envString('KRATOS_ADMIN_URL'),
   kratosAdminEmail: envString('KRATOS_ADMIN_EMAIL'),
   operatorIdpSecret: envString('OPERATOR_IDP_SECRET'),
-  operatorIdpConsentUrl: envString('OPERATOR_IDP_CONSENT_URL')
+  operatorIdpConsentUrl: envString('OPERATOR_IDP_CONSENT_URL'),
+  // TODO: something more permanent & agreed upon by the team
+  // Used by seed scripts/Bruno collection
+  operatorApiSecret: envString('OPERATOR_API_SECRET')
 }
 
 function parseRedisTlsConfig(

diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
@@ -742,6 +742,9 @@ export const start = async (
   await app.startAdminServer(config.adminPort)
   logger.info(`Admin listening on ${app.getAdminPort()}`)
 
+  await app.createOperatorIdentity()
+  logger.info('Operator identity created on Kratos')
+
   await app.startOpenPaymentsServer(config.openPaymentsPort)
   logger.info(`Open Payments listening on ${app.getOpenPaymentsPort()}`)
 
@@ -755,9 +758,6 @@ export const start = async (
       `Auto-peering server listening on ${config.autoPeeringServerPort}`
     )
   }
-
-  await app.createOperatorIdentity()
-  logger.info('Operator identity created on Kratos')
 }
 
 // If this script is run directly, start the server

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -30,6 +30,8 @@ import { parseLimits } from '../payment/outgoing/limits'
 import { AccessAction, AccessType } from '@interledger/open-payments'
 import { OpenPaymentsServerRouteError } from '../route-errors'
 import assert from 'assert'
+import { createTenant } from '../../tests/tenant'
+import { EndpointType } from '../../tenant/endpoints/model'
 
 const nock = (global as unknown as { nock: typeof import('nock') }).nock
 
@@ -71,14 +73,31 @@ describe('Auth Middleware', (): void => {
   })
 
   beforeEach(async (): Promise<void> => {
+    const config = await deps.use('config')
+    const tenantEmail = faker.internet.email()
+    nock(config.kratosAdminUrl)
+      .get('/identities')
+      .query({ credentials_identifier: tenantEmail })
+      .reply(200, [{ id: uuid(), metadata_public: {} }])
+      .persist()
+    const tenantId = (
+      await createTenant(deps, {
+        email: tenantEmail,
+        idpSecret: 'testsecret',
+        idpConsentEndpoint: faker.internet.url(),
+        endpoints: [
+          { type: EndpointType.WebhookBaseUrl, value: faker.internet.url() }
+        ]
+      })
+    ).id
     ctx = setup({
       reqOpts: {
         headers: {
           Accept: 'application/json',
           Authorization: `GNAP ${token}`
         }
       },
-      walletAddress: await createWalletAddress(deps)
+      walletAddress: await createWalletAddress(deps, tenantId)
     })
     ctx.container = deps
   })