@adobe/spacecat-shared-data-access 2.108.0 → 2.109.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [@adobe/spacecat-shared-data-access-v2.109.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-data-access-v2.108.0...@adobe/spacecat-shared-data-access-v2.109.0) (2026-02-16)
+
+
+### Features
+
+* consumer entity to register technical accounts ([#1341](https://github.com/adobe/spacecat-shared/issues/1341)) ([a0572e8](https://github.com/adobe/spacecat-shared/commit/a0572e8f52c95d90b986495a110ec66f58caa77e))
+
 # [@adobe/spacecat-shared-data-access-v2.108.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-data-access-v2.107.0...@adobe/spacecat-shared-data-access-v2.108.0) (2026-02-13)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-data-access",
-  "version": "2.108.0",
+  "version": "2.109.0",
   "description": "Shared modules of the Spacecat Services - Data Access",
   "type": "module",
   "engines": {

package/src/index.js

@@ -40,12 +40,18 @@ export default function dataAccessWrapper(fn) {
         DYNAMO_TABLE_NAME_DATA = TABLE_NAME_DATA,
         S3_CONFIG_BUCKET: s3Bucket,
         AWS_REGION: region,
+        S2S_ALLOWED_IMS_ORG_IDS: s2sAllowedImsOrgIdsRaw,
       } = context.env;
 
+      const s2sAllowedImsOrgIds = s2sAllowedImsOrgIdsRaw
+        ? s2sAllowedImsOrgIdsRaw.split(',').map((id) => id.trim()).filter(Boolean)
+        : [];
+
       context.dataAccess = createDataAccess({
         tableNameData: DYNAMO_TABLE_NAME_DATA,
         s3Bucket,
         region,
+        s2sAllowedImsOrgIds,
       }, log);
     }
 

package/src/models/base/entity.registry.js

@@ -18,6 +18,7 @@ import AsyncJobCollection from '../async-job/async-job.collection.js';
 import AuditCollection from '../audit/audit.collection.js';
 import AuditUrlCollection from '../audit-url/audit-url.collection.js';
 import ConfigurationCollection from '../configuration/configuration.collection.js';
+import ConsumerCollection from '../consumer/consumer.collection.js';
 import ExperimentCollection from '../experiment/experiment.collection.js';
 import EntitlementCollection from '../entitlement/entitlement.collection.js';
 import FixEntityCollection from '../fix-entity/fix-entity.collection.js';
@@ -49,6 +50,7 @@ import ApiKeySchema from '../api-key/api-key.schema.js';
 import AsyncJobSchema from '../async-job/async-job.schema.js';
 import AuditSchema from '../audit/audit.schema.js';
 import AuditUrlSchema from '../audit-url/audit-url.schema.js';
+import ConsumerSchema from '../consumer/consumer.schema.js';
 import EntitlementSchema from '../entitlement/entitlement.schema.js';
 import FixEntitySchema from '../fix-entity/fix-entity.schema.js';
 import FixEntitySuggestionSchema from '../fix-entity-suggestion/fix-entity-suggestion.schema.js';
@@ -90,10 +92,12 @@ class EntityRegistry {
    * @param {Object} services - Dictionary of services keyed by datastore type.
    * @param {Object} services.dynamo - The ElectroDB service instance for DynamoDB operations.
    * @param {{s3Client: S3Client, s3Bucket: string}|null} [services.s3] - S3 service configuration.
+   * @param {Object} config - Configuration object containing environment-derived settings.
    * @param {Object} log - A logger for capturing and logging information.
    */
-  constructor(services, log) {
+  constructor(services, config, log) {
     this.services = services;
+    this.config = config;
     this.log = log;
     this.collections = new Map();
 
@@ -142,6 +146,14 @@ class EntityRegistry {
     return collections;
   }
 
+  /**
+   * Returns the camelCase names of all registered entities (including Configuration).
+   * @returns {string[]} - An array of entity names.
+   */
+  getEntityNames() {
+    return [...Object.keys(this.constructor.entities), 'configuration'];
+  }
+
   static getEntities() {
     return Object.keys(this.entities).reduce((acc, key) => {
       acc[key] = this.entities[key].schema.toElectroDBSchema();
@@ -159,6 +171,7 @@ EntityRegistry.registerEntity(ApiKeySchema, ApiKeyCollection);
 EntityRegistry.registerEntity(AsyncJobSchema, AsyncJobCollection);
 EntityRegistry.registerEntity(AuditSchema, AuditCollection);
 EntityRegistry.registerEntity(AuditUrlSchema, AuditUrlCollection);
+EntityRegistry.registerEntity(ConsumerSchema, ConsumerCollection);
 EntityRegistry.registerEntity(EntitlementSchema, EntitlementCollection);
 EntityRegistry.registerEntity(FixEntitySchema, FixEntityCollection);
 EntityRegistry.registerEntity(FixEntitySuggestionSchema, FixEntitySuggestionCollection);

package/src/models/consumer/consumer.collection.js

@@ -0,0 +1,149 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { hasText, isNonEmptyArray } from '@adobe/spacecat-shared-utils';
+
+import BaseCollection from '../base/base.collection.js';
+import ValidationError from '../../errors/validation.error.js';
+import Consumer from './consumer.model.js';
+
+/**
+ * ConsumerCollection - A collection class responsible for managing Consumer entities.
+ * Extends the BaseCollection to provide specific methods for interacting with Consumer records.
+ *
+ * @class ConsumerCollection
+ * @extends BaseCollection
+ */
+class ConsumerCollection extends BaseCollection {
+  static COLLECTION_NAME = 'ConsumerCollection';
+
+  #validCapabilities = null;
+
+  /**
+   * Returns the set of valid capabilities, generated dynamically from all registered
+   * entity names and operations. Computed once and cached.
+   * Format: entityName:operation (e.g. "site:read", "organization:write")
+   * @returns {Set<string>} - The set of valid capability strings.
+   * @private
+   */
+  #getValidCapabilities() {
+    if (!this.#validCapabilities) {
+      const entityNames = this.entityRegistry.getEntityNames();
+      this.#validCapabilities = new Set(
+        entityNames.flatMap(
+          (name) => Consumer.CAPABILITIES.map((op) => `${name}:${op}`),
+        ),
+      );
+    }
+    return this.#validCapabilities;
+  }
+
+  /**
+   * Validates that all capabilities in the given array are known entity:operation pairs.
+   * Called during both create() and save() to prevent capability escalation.
+   * @param {string[]} capabilities - The capabilities to validate.
+   * @throws {ValidationError} - Throws if any capability is not recognized.
+   */
+  validateCapabilities(capabilities) {
+    if (!isNonEmptyArray(capabilities)) {
+      return;
+    }
+
+    const validCapabilities = this.#getValidCapabilities();
+    const invalid = capabilities.filter((cap) => !validCapabilities.has(cap));
+
+    if (invalid.length > 0) {
+      throw new ValidationError(
+        `Invalid capabilities: [${invalid.join(', ')}]`,
+        this,
+      );
+    }
+  }
+
+  /**
+   * Validates that the given imsOrgId is in the allowed list from config.
+   * @param {string} imsOrgId - The IMS Org ID to validate.
+   * @throws {ValidationError} - Throws if the imsOrgId is not in the allowed list.
+   * @private
+   */
+  #validateImsOrgId(imsOrgId) {
+    const { s2sAllowedImsOrgIds } = this.entityRegistry.config;
+
+    if (!isNonEmptyArray(s2sAllowedImsOrgIds)) {
+      throw new ValidationError(
+        'S2S_ALLOWED_IMS_ORG_IDS is not configured. Cannot create a consumer without an allowlist.',
+        this,
+      );
+    }
+
+    if (!s2sAllowedImsOrgIds.includes(imsOrgId)) {
+      throw new ValidationError(
+        `The imsOrgId "${imsOrgId}" is not in the list of allowed IMS Org IDs`,
+        this,
+      );
+    }
+  }
+
+  /**
+   * Validates that no existing consumer has the same clientId.
+   * Uses findByClientId() to enforce global uniqueness, which is correct because IMS
+   * client_ids are globally unique per integration in Adobe Developer Console regardless
+   * of the owning org. The composite index ['clientId', 'imsOrgId'] exists for efficient
+   * scoped lookups, not to imply per-org uniqueness.
+   * @param {string} clientId - The clientId to check.
+   * @throws {ValidationError} - Throws if a consumer with this clientId already exists.
+   * @private
+   */
+  async #validateClientIdUniqueness(clientId) {
+    if (!hasText(clientId)) {
+      throw new ValidationError(
+        'clientId is required to create a consumer',
+        this,
+      );
+    }
+
+    const existing = await this.findByClientId(clientId);
+    if (existing) {
+      throw new ValidationError(
+        `A consumer with clientId "${clientId}" already exists`,
+        this,
+      );
+    }
+  }
+
+  /**
+   * Creates a new Consumer entity after validating imsOrgId, capabilities, and clientId uniqueness.
+   * @param {Object} item - The data for the entity to be created.
+   * @param {Object} [options] - Additional options for the creation process.
+   * @returns {Promise<BaseModel>} - A promise that resolves to the created model instance.
+   * @throws {ValidationError} - Throws if validation fails.
+   */
+  async create(item, options = {}) {
+    this.#validateImsOrgId(item?.imsOrgId);
+    this.validateCapabilities(item?.capabilities);
+    await this.#validateClientIdUniqueness(item?.clientId);
+    return super.create(item, options);
+  }
+
+  /**
+   * Bulk creation is not supported for Consumer entities.
+   * All consumers must be created individually via create() to enforce
+   * imsOrgId allowlist, capability validation, and clientId uniqueness checks.
+   * @throws {Error} Always throws — use create() instead.
+   */
+  // eslint-disable-next-line class-methods-use-this, no-unused-vars
+  async createMany(_items, _parent) {
+    throw new Error('createMany is not supported for Consumer. Use create() instead.');
+  }
+}
+
+export default ConsumerCollection;

package/src/models/consumer/consumer.model.js

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { isIsoDate } from '@adobe/spacecat-shared-utils';
+
+import BaseModel from '../base/base.model.js';
+
+/**
+ * Consumer - A class representing a Consumer entity.
+ * Provides methods to access and manipulate Consumer-specific data.
+ *
+ * @class Consumer
+ * @extends BaseModel
+ */
+class Consumer extends BaseModel {
+  static ENTITY_NAME = 'Consumer';
+
+  static STATUS = {
+    ACTIVE: 'ACTIVE',
+    SUSPENDED: 'SUSPENDED',
+    REVOKED: 'REVOKED',
+  };
+
+  /**
+   * Checks whether this consumer has been revoked.
+   * @returns {boolean} - True if the consumer has been revoked.
+   */
+  isRevoked() {
+    return this.getStatus() === Consumer.STATUS.REVOKED
+      || (isIsoDate(this.getRevokedAt()) && new Date(this.getRevokedAt()) <= new Date());
+  }
+
+  /**
+   * Saves the consumer after validating capabilities against the allowlist.
+   * Prevents capability escalation via setCapabilities() + save().
+   * @async
+   * @returns {Promise<Consumer>} - The saved consumer instance.
+   * @throws {ValidationError} - If capabilities are invalid.
+   */
+  async save() {
+    this.collection.validateCapabilities(this.getCapabilities());
+    return super.save();
+  }
+
+  static CAPABILITIES = ['read', 'write', 'delete'];
+
+  static IMS_ORG_ID_REGEX = /^[a-z0-9]{24}@AdobeOrg$/i;
+
+  static TECHNICAL_ACCOUNT_ID_REGEX = /^[a-z0-9]{24}@techacct\.adobe\.com$/i;
+}
+
+export default Consumer;

package/src/models/consumer/consumer.schema.js

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { isIsoDate } from '@adobe/spacecat-shared-utils';
+
+import SchemaBuilder from '../base/schema.builder.js';
+import Consumer from './consumer.model.js';
+import ConsumerCollection from './consumer.collection.js';
+
+/*
+Schema Doc: https://electrodb.dev/en/modeling/schema/
+Attribute Doc: https://electrodb.dev/en/modeling/attributes/
+Indexes Doc: https://electrodb.dev/en/modeling/indexes/
+ */
+
+const schema = new SchemaBuilder(Consumer, ConsumerCollection)
+  .addAttribute('clientId', {
+    type: 'string',
+    required: true,
+    readOnly: true,
+  })
+  .addAttribute('technicalAccountId', {
+    type: 'string',
+    required: true,
+    readOnly: true,
+    validate: (value) => Consumer.TECHNICAL_ACCOUNT_ID_REGEX.test(value),
+  })
+  .addAttribute('consumerName', {
+    type: 'string',
+    required: true,
+  })
+  .addAttribute('status', {
+    type: Object.values(Consumer.STATUS),
+    required: true,
+  })
+  .addAttribute('capabilities', {
+    type: 'list',
+    required: true,
+    items: {
+      type: 'string',
+    },
+  })
+  .addAttribute('revokedAt', {
+    type: 'string',
+    validate: (value) => !value || isIsoDate(value),
+  })
+  .addAttribute('imsOrgId', {
+    type: 'string',
+    required: true,
+    readOnly: true,
+    validate: (value) => Consumer.IMS_ORG_ID_REGEX.test(value),
+  })
+  .addAllIndex(['imsOrgId'])
+  .addAllIndex(['clientId', 'imsOrgId']);
+
+export default schema.build();

package/src/models/consumer/index.d.ts

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import type { BaseCollection, BaseModel } from '../index';
+
+export type ConsumerStatus = 'ACTIVE' | 'SUSPENDED' | 'REVOKED';
+
+export interface Consumer extends BaseModel {
+  getClientId(): string;
+  getTechnicalAccountId(): string;
+  getConsumerName(): string;
+  getStatus(): ConsumerStatus;
+  getCapabilities(): string[];
+  getImsOrgId(): string;
+  getRevokedAt(): string | undefined;
+  isRevoked(): boolean;
+  setConsumerName(consumerName: string): Consumer;
+  setStatus(status: ConsumerStatus): Consumer;
+  setCapabilities(capabilities: string[]): Consumer;
+  setRevokedAt(revokedAt: string): Consumer;
+}
+
+export interface ConsumerCollection extends BaseCollection<Consumer> {
+  allByImsOrgId(imsOrgId: string): Promise<Consumer[]>;
+  allByClientId(clientId: string): Promise<Consumer[]>;
+  allByClientIdAndImsOrgId(clientId: string, imsOrgId: string): Promise<Consumer[]>;
+  findByImsOrgId(imsOrgId: string): Promise<Consumer | null>;
+  findByClientId(clientId: string): Promise<Consumer | null>;
+  findByClientIdAndImsOrgId(clientId: string, imsOrgId: string): Promise<Consumer | null>;
+}

package/src/models/consumer/index.js

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import Consumer from './consumer.model.js';
+import ConsumerCollection from './consumer.collection.js';
+
+export {
+  Consumer,
+  ConsumerCollection,
+};

package/src/models/index.d.ts

@@ -14,6 +14,7 @@ export type * from './audit';
 export type * from './async-job';
 export type * from './configuration';
 export type * from './base';
+export type * from './consumer';
 export type * from './fix-entity';
 export type * from './fix-entity-suggestion';
 export type * from './experiment';

package/src/models/index.js

@@ -16,6 +16,7 @@ export * from './audit/index.js';
 export * from './audit-url/index.js';
 export * from './base/index.js';
 export * from './configuration/index.js';
+export * from './consumer/index.js';
 export * from './entitlement/index.js';
 export * from './fix-entity/index.js';
 export * from './fix-entity-suggestion/index.js';

package/src/service/index.js

@@ -115,7 +115,7 @@ export const createDataAccess = (config, log = console, client = undefined) => {
   const rawClient = createRawClient(client);
   const electroService = createElectroService(rawClient, config, log);
   const services = createServices(electroService, config);
-  const entityRegistry = new EntityRegistry(services, log);
+  const entityRegistry = new EntityRegistry(services, config, log);
 
   return entityRegistry.getCollections();
 };