Bump @nx/devkit from 19.5.1 to 20.4.0

.gitignore

@@ -55,6 +55,10 @@ Thumbs.db
 .env.production
 .env.test
 
+config/*
+!config/*.example.yaml
+!config/*.template.yaml
+
 /rego-build
 /apps/devtool/storage.json
 

.husky/pre-commit

@@ -1,4 +1 @@
-#!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 npx lint-staged

.prettierignore

@@ -6,6 +6,7 @@ dist/*
 .nx/cache/*
 deploy/charts/*
 /.nx/workspace-data
+.next/*
 
 # Generated code
 packages/armory-sdk/src/http/client

.prettierrc

@@ -6,5 +6,13 @@
   "singleQuote": true,
   "tabWidth": 2,
   "trailingComma": "none",
-  "useTabs": false
+  "useTabs": false,
+  "overrides": [
+    {
+      "files": ["*.yml", "*.yaml"],
+      "options": {
+        "quoteProps": "preserve"
+      }
+    }
+  ]
 }

apps/armory/Makefile

@@ -30,13 +30,15 @@ armory/build:
 # === Code format ===
 
 armory/format:
-	 npx nx format:write --projects ${ARMORY_PROJECT_NAME}
+	npx nx format:write --projects ${ARMORY_PROJECT_NAME}
+	npx prisma format --schema ${ARMORY_DATABASE_SCHEMA}
 
 armory/lint:
 	npx nx lint ${ARMORY_PROJECT_NAME} -- --fix
 
 armory/format/check:
-	 npx nx format:check --projects ${ARMORY_PROJECT_NAME}
+	npx nx format:check --projects ${ARMORY_PROJECT_NAME}
+	npx prisma format --schema ${ARMORY_DATABASE_SCHEMA}
 
 armory/lint/check:
 	npx nx lint ${ARMORY_PROJECT_NAME}

apps/armory/src/armory.constant.ts

@@ -1,10 +1,3 @@
-import {
-  REQUEST_HEADER_CLIENT_ID,
-  REQUEST_HEADER_CLIENT_SECRET,
-  adminApiKeySecurity,
-  clientIdSecurity,
-  clientSecretSecurity
-} from '@narval/nestjs-shared'
 import { AssetId } from '@narval/policy-engine-shared'
 import { ClassSerializerInterceptor, ValidationPipe } from '@nestjs/common'
 import { APP_FILTER, APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core'
@@ -51,20 +44,6 @@ export const DEFAULT_HTTP_MODULE_PROVIDERS = [
   ...HTTP_VALIDATION_PIPES
 ]
 
-//
-// Headers
-//
-
-export const REQUEST_HEADER_API_KEY = 'x-api-key'
-
-//
-// API Security
-//
-
-export const ADMIN_SECURITY = adminApiKeySecurity(REQUEST_HEADER_API_KEY)
-export const CLIENT_ID_SECURITY = clientIdSecurity(REQUEST_HEADER_CLIENT_ID)
-export const CLIENT_SECRET_SECURITY = clientSecretSecurity(REQUEST_HEADER_CLIENT_SECRET)
-
 //
 // Queues
 //

apps/armory/src/client/__test__/e2e/client.spec.ts

@@ -1,18 +1,18 @@
 import { ConfigModule, ConfigService } from '@narval/config-module'
-import { LoggerModule, OpenTelemetryModule, secret } from '@narval/nestjs-shared'
-import { DataStoreConfiguration, HttpSource, PublicClient, Source, SourceType } from '@narval/policy-engine-shared'
-import { getPublicKey, privateKeyToJwk } from '@narval/signature'
+import { LoggerModule, OpenTelemetryModule, REQUEST_HEADER_ADMIN_API_KEY, secret } from '@narval/nestjs-shared'
+import { DataStoreConfiguration, HttpSource, Source, SourceType } from '@narval/policy-engine-shared'
+import { SigningAlg, getPublicKey, privateKeyToJwk } from '@narval/signature'
 import { HttpStatus, INestApplication } from '@nestjs/common'
 import { Test, TestingModule } from '@nestjs/testing'
 import nock from 'nock'
 import request from 'supertest'
 import { generatePrivateKey } from 'viem/accounts'
 import { AppService } from '../../../app/core/service/app.service'
 import { Config, load } from '../../../armory.config'
-import { REQUEST_HEADER_API_KEY } from '../../../armory.constant'
 import { TestPrismaService } from '../../../shared/module/persistence/service/test-prisma.service'
 import { ClientModule } from '../../client.module'
 import { ClientService } from '../../core/service/client.service'
+import { PolicyEnginePublicClient } from '../../core/type/client.type'
 import { CreateClientRequestDto } from '../../http/rest/dto/create-client.dto'
 
 // TODO: (@wcalderipe, 16/05/24) Evaluate testcontainers
@@ -32,13 +32,26 @@ const mockPolicyEngineServer = (url: string, clientId: string) => {
     keys: [getPublicKey(privateKeyToJwk(generatePrivateKey()))]
   }
 
-  const createClientResponse: PublicClient = {
+  const createClientResponse: PolicyEnginePublicClient = {
     clientId,
-    clientSecret: secret.generate(),
+    name: 'Acme',
+    configurationSource: 'dynamic',
+    baseUrl: null,
+    auth: {
+      disabled: false,
+      local: {
+        clientSecret: secret.generate()
+      }
+    },
     createdAt: new Date(),
     updatedAt: new Date(),
-    signer: {
-      publicKey: getPublicKey(privateKeyToJwk(generatePrivateKey()))
+    decisionAttestation: {
+      disabled: false,
+      signer: {
+        alg: SigningAlg.EIP191,
+        keyId: 'acme-key-ie',
+        publicKey: getPublicKey(privateKeyToJwk(generatePrivateKey()))
+      }
     },
     dataStore: {
       entity: dataStoreConfig,
@@ -135,7 +148,7 @@ describe('Client', () => {
 
       const { status, body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send(createClientPayload)
 
       const actualClient = await clientService.findById(body.id)
@@ -171,7 +184,7 @@ describe('Client', () => {
 
       const { body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send(createClientWithGivenPolicyEngine)
 
       const actualClient = await clientService.findById(body.id)
@@ -187,7 +200,7 @@ describe('Client', () => {
 
       const { body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send({ ...createClientPayload, clientSecret })
 
       const actualClient = await clientService.findById(body.id)
@@ -201,7 +214,7 @@ describe('Client', () => {
 
       const { body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send(createClientPayload)
 
       const actualClient = await clientService.findById(body.id)
@@ -215,7 +228,7 @@ describe('Client', () => {
 
       const { body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send({ ...createClientPayload, useManagedDataStore: true })
 
       const actualClient = await clientService.findById(body.id)
@@ -240,7 +253,7 @@ describe('Client', () => {
 
       const { status, body } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send({
           ...createClientPayload,
           useManagedDataStore: true,
@@ -277,7 +290,7 @@ describe('Client', () => {
     it('responds with unprocessable entity when payload is invalid', async () => {
       const { status } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, adminApiKey)
+        .set(REQUEST_HEADER_ADMIN_API_KEY, adminApiKey)
         .send({})
 
       expect(status).toEqual(HttpStatus.UNPROCESSABLE_ENTITY)
@@ -286,7 +299,7 @@ describe('Client', () => {
     it('responds with forbidden when admin api key is invalid', async () => {
       const { status } = await request(app.getHttpServer())
         .post('/clients')
-        .set(REQUEST_HEADER_API_KEY, 'invalid-admin-api-key')
+        .set(REQUEST_HEADER_ADMIN_API_KEY, 'invalid-admin-api-key')
         .send({})
 
       expect(status).toEqual(HttpStatus.FORBIDDEN)

apps/armory/src/client/core/type/client.type.ts

@@ -1,5 +1,5 @@
 import { DataStoreConfiguration } from '@narval/policy-engine-shared'
-import { jwkSchema, publicKeySchema } from '@narval/signature'
+import { jwkSchema, publicKeySchema, SigningAlg } from '@narval/signature'
 import { z } from 'zod'
 
 export const PolicyEngineNode = z.object({
@@ -61,3 +61,38 @@ export const PublicClient = Client.extend({
   })
 })
 export type PublicClient = z.infer<typeof PublicClient>
+
+export const PolicyEnginePublicClient = z.object({
+  clientId: z.string(),
+  name: z.string(),
+  configurationSource: z.literal('declarative').or(z.literal('dynamic')), // Declarative = comes from config file, Dynamic = created at runtime
+  baseUrl: z.string().nullable(),
+
+  auth: z.object({
+    disabled: z.boolean(),
+    local: z
+      .object({
+        clientSecret: z.string().nullable()
+      })
+      .nullable()
+  }),
+
+  dataStore: z.object({
+    entity: DataStoreConfiguration,
+    policy: DataStoreConfiguration
+  }),
+
+  decisionAttestation: z.object({
+    disabled: z.boolean(),
+    signer: z
+      .object({
+        alg: z.nativeEnum(SigningAlg),
+        keyId: z.string().nullable().describe('Unique id of the signer key. Matches the kid in both jwks'),
+        publicKey: publicKeySchema.optional()
+      })
+      .nullable()
+  }),
+  createdAt: z.coerce.date(),
+  updatedAt: z.coerce.date()
+})
+export type PolicyEnginePublicClient = z.infer<typeof PolicyEnginePublicClient>

apps/armory/src/main.ts

@@ -7,14 +7,20 @@ import { instrumentTelemetry } from '@narval/open-telemetry'
 instrumentTelemetry({ serviceName: 'armory' })
 
 import { ConfigService } from '@narval/config-module'
-import { LoggerService, withApiVersion, withCors, withLogger, withSwagger } from '@narval/nestjs-shared'
+import {
+  LoggerService,
+  securityOptions,
+  withApiVersion,
+  withCors,
+  withLogger,
+  withSwagger
+} from '@narval/nestjs-shared'
 import { ClassSerializerInterceptor, INestApplication, ValidationPipe } from '@nestjs/common'
 import { NestFactory, Reflector } from '@nestjs/core'
 import compression from 'compression'
 import { json } from 'express'
 import { lastValueFrom, map, of, switchMap } from 'rxjs'
 import { Config } from './armory.config'
-import { ADMIN_SECURITY, CLIENT_ID_SECURITY, CLIENT_SECRET_SECURITY } from './armory.constant'
 import { ArmoryModule } from './armory.module'
 import { ApplicationExceptionFilter } from './shared/filter/application-exception.filter'
 import { HttpExceptionFilter } from './shared/filter/http-exception.filter'
@@ -103,7 +109,7 @@ async function bootstrap(): Promise<void> {
           title: 'Armory',
           description: 'Authentication and authorization system for web3.0',
           version: '1.0',
-          security: [ADMIN_SECURITY, CLIENT_ID_SECURITY, CLIENT_SECRET_SECURITY]
+          security: [securityOptions.clientId, securityOptions.clientSecret, securityOptions.adminApiKey]
         })
       ),
       switchMap((app) => app.listen(port))

apps/armory/src/orchestration/__test__/e2e/authorization-request.spec.ts

@@ -409,7 +409,6 @@ describe('Authorization Request', () => {
       idempotencyKey: '8dcbb7ad-82a2-4eca-b2f0-b1415c1d4a17',
       evaluations: [],
       approvals: [],
-      errors: [],
       createdAt: new Date(),
       updatedAt: new Date()
     }

apps/armory/src/orchestration/http/rest/util.ts

@@ -17,8 +17,10 @@ export const toCreateAuthorizationRequest = (
   const authentication = dto.authentication
   const approvals = dto.approvals || []
   const audience = dto.metadata?.audience
+  const confirmation = dto.metadata?.confirmation
   const metadata = {
     ...(audience && { audience }),
+    ...(confirmation && { confirmation }),
     expiresIn: dto.metadata?.expiresIn || TEN_MINUTES,
     issuedAt: nowSeconds(),
     issuer: `${clientId}.armory.narval.xyz`

apps/armory/src/orchestration/persistence/decode/authorization-request.decode.ts

@@ -4,12 +4,12 @@ import {
   Approvals,
   AuthorizationRequest,
   AuthorizationRequestError,
+  AuthorizationRequestMetadata,
   Evaluation
 } from '@narval/policy-engine-shared'
 import {
   ApprovalRequirement as ApprovalRequirementModel,
-  AuthorizationRequestError as AuthorizationRequestErrorModel,
-  Prisma
+  AuthorizationRequestError as AuthorizationRequestErrorModel
 } from '@prisma/client/armory'
 import { ZodIssueCode, ZodSchema, z } from 'zod'
 import { ACTION_REQUEST } from '../../orchestration.constant'
@@ -33,10 +33,18 @@ const buildSharedAttributes = (model: AuthorizationRequestModel): Omit<Authoriza
     authentication: model.authnSig,
     approvals: z.array(z.string()).parse(model.approvals.filter(({ error }) => !error).map((approval) => approval.sig)),
     evaluations: (model.evaluationLog || []).map(decodeEvaluationLog),
-    metadata: model.metadata as Prisma.InputJsonObject,
-    errors: (model.errors || []).map(buildError),
     createdAt: model.createdAt,
-    updatedAt: model.updatedAt
+    updatedAt: model.updatedAt,
+    ...(model.errors && model.errors.length
+      ? {
+          errors: model.errors.map(buildError)
+        }
+      : {}),
+    ...(model.metadata
+      ? {
+          metadata: AuthorizationRequestMetadata.parse(model.metadata)
+        }
+      : {})
   }
 }