@pagopa/dx-cli 0.16.2 → 0.18.0

package/dist/domain/__tests__/data.d.ts

@@ -1,12 +1,14 @@
 import { Octokit } from "octokit";
 import { DeepMockProxy, MockProxy } from "vitest-mock-extended";
 import { Config } from "../../config.js";
+import { AuthorizationService } from "../authorization.js";
 import { GitHubService } from "../github.js";
 import { PackageJson, PackageJsonReader } from "../package-json.js";
 import { RepositoryReader } from "../repository.js";
 import { ValidationReporter } from "../validation.js";
 export declare const makeMockPackageJson: (overrides?: Partial<PackageJson>) => PackageJson;
 export declare const makeMockDependencies: () => {
+    authorizationService: MockProxy<AuthorizationService>;
     gitHubService: MockProxy<GitHubService>;
     octokit: DeepMockProxy<Octokit>;
     packageJsonReader: MockProxy<PackageJsonReader>;

package/dist/domain/__tests__/data.js

@@ -13,6 +13,7 @@ export const makeMockPackageJson = (overrides = {}) => {
     };
 };
 export const makeMockDependencies = () => ({
+    authorizationService: mock(),
     gitHubService: mock(),
     octokit: mockDeep(),
     packageJsonReader: mock(),

package/dist/domain/authorization.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Authorization Domain
+ *
+ * Provides types and interfaces for requesting cloud authorization.
+ * This module is technology-agnostic: it does not depend on any specific
+ * cloud provider or version-control platform.
+ */
+import { ResultAsync } from "neverthrow";
+import { z } from "zod/v4";
+/**
+ * Input validation schema for the request authorization use case.
+ */
+export declare const requestAuthorizationInputSchema: z.ZodObject<{
+    bootstrapIdentityId: z.core.$ZodBranded<z.ZodString, "BootstrapIdentityId">;
+    subscriptionName: z.core.$ZodBranded<z.ZodString, "SubscriptionName">;
+}, z.core.$strip>;
+/**
+ * Service interface for requesting cloud authorization.
+ * Implementations handle the platform-specific details of granting access.
+ */
+export interface AuthorizationService {
+    requestAuthorization(input: RequestAuthorizationInput): ResultAsync<AuthorizationResult, AuthorizationError>;
+}
+export type RequestAuthorizationInput = z.infer<typeof requestAuthorizationInputSchema>;
+/**
+ * Base error class for authorization-related errors.
+ */
+export declare class AuthorizationError extends Error {
+    constructor(message: string);
+}
+/**
+ * Result returned by a successful authorization request.
+ */
+export declare class AuthorizationResult {
+    readonly url: string;
+    constructor(url: string);
+}
+/**
+ * Error thrown when attempting to add an identity that already exists.
+ */
+export declare class IdentityAlreadyExistsError extends AuthorizationError {
+    constructor(identityId: string);
+}
+/**
+ * Error thrown when the authorization configuration format is invalid or cannot be parsed.
+ */
+export declare class InvalidAuthorizationFileFormatError extends AuthorizationError {
+    constructor(details: string);
+}

package/dist/domain/authorization.js

@@ -0,0 +1,73 @@
+/**
+ * Authorization Domain
+ *
+ * Provides types and interfaces for requesting cloud authorization.
+ * This module is technology-agnostic: it does not depend on any specific
+ * cloud provider or version-control platform.
+ */
+import { z } from "zod/v4";
+/**
+ * Branded type for subscription name.
+ * Validates that the name contains only letters, numbers, and hyphens to prevent path traversal attacks.
+ */
+const SubscriptionName = z
+    .string()
+    .min(1)
+    .regex(/^[A-Za-z0-9-]+$/, {
+    message: "Subscription name may contain only letters, numbers, and hyphens",
+})
+    .brand();
+/**
+ * Branded type for bootstrap identity ID.
+ * Validates that the ID contains only lowercase letters, numbers, and hyphens to prevent injection attacks.
+ */
+const BootstrapIdentityId = z
+    .string()
+    .min(1)
+    .regex(/^[a-z0-9-]+$/, {
+    message: "Bootstrap identity ID may contain only lowercase letters, numbers, and hyphens",
+})
+    .brand();
+/**
+ * Input validation schema for the request authorization use case.
+ */
+export const requestAuthorizationInputSchema = z.object({
+    bootstrapIdentityId: BootstrapIdentityId,
+    subscriptionName: SubscriptionName,
+});
+/**
+ * Base error class for authorization-related errors.
+ */
+export class AuthorizationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "AuthorizationError";
+    }
+}
+/**
+ * Result returned by a successful authorization request.
+ */
+export class AuthorizationResult {
+    url;
+    constructor(url) {
+        this.url = url;
+    }
+}
+/**
+ * Error thrown when attempting to add an identity that already exists.
+ */
+export class IdentityAlreadyExistsError extends AuthorizationError {
+    constructor(identityId) {
+        super(`Identity "${identityId}" already exists`);
+        this.name = "IdentityAlreadyExistsError";
+    }
+}
+/**
+ * Error thrown when the authorization configuration format is invalid or cannot be parsed.
+ */
+export class InvalidAuthorizationFileFormatError extends AuthorizationError {
+    constructor(details) {
+        super(`Invalid authorization file format: ${details}`);
+        this.name = "InvalidAuthorizationFileFormatError";
+    }
+}

package/dist/domain/cloud-account.d.ts

@@ -1,5 +1,6 @@
 import { z } from "zod/v4";
 import { type EnvironmentId } from "./environment.js";
+import { type GitHubAppCredentials } from "./github.js";
 import { TerraformBackend } from "./remote-backend.js";
 export declare const cloudAccountSchema: z.ZodObject<{
     csp: z.ZodDefault<z.ZodEnum<{
@@ -16,7 +17,7 @@ export type CloudAccountRepository = {
 export type CloudAccountService = {
     getTerraformBackend(cloudAccountId: CloudAccount["id"], environment: EnvironmentId): Promise<TerraformBackend | undefined>;
     hasUserPermissionToInitialize(cloudAccountId: CloudAccount["id"]): Promise<boolean>;
-    initialize(cloudAccount: CloudAccount, environment: EnvironmentId, tags?: Record<string, string>): Promise<void>;
+    initialize(cloudAccount: CloudAccount, environment: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, tags?: Record<string, string>): Promise<void>;
     isInitialized(cloudAccountId: CloudAccount["id"], environment: EnvironmentId): Promise<boolean>;
     provisionTerraformBackend(cloudAccount: CloudAccount, environment: EnvironmentId, tags?: Record<string, string>): Promise<TerraformBackend>;
 };

package/dist/domain/dependencies.d.ts

@@ -1,8 +1,10 @@
+import { AuthorizationService } from "./authorization.js";
 import { GitHubService } from "./github.js";
 import { PackageJsonReader } from "./package-json.js";
 import { RepositoryReader } from "./repository.js";
 import { ValidationReporter } from "./validation.js";
 export type Dependencies = {
+    authorizationService: AuthorizationService;
     gitHubService: GitHubService;
     packageJsonReader: PackageJsonReader;
     repositoryReader: RepositoryReader;

package/dist/domain/github.d.ts

@@ -1,16 +1,58 @@
+import { z } from "zod/v4";
+export type CreateBranchParams = {
+    branchName: string;
+    fromRef: string;
+    owner: string;
+    repo: string;
+};
+export type FileContent = {
+    content: string;
+    sha: string;
+};
+export type GetFileContentParams = {
+    owner: string;
+    path: string;
+    ref?: string;
+    repo: string;
+};
 export interface GitHubService {
+    /**
+     * Creates a new branch from an existing reference.
+     * @throws Error if branch creation fails
+     */
+    createBranch(params: CreateBranchParams): Promise<void>;
     /**
      * Creates a pull request in a GitHub repository.
      * @throws Error if pull request creation fails
      */
     createPullRequest(params: PullRequestBody): Promise<PullRequest>;
+    /**
+     * Gets the content of a file from a GitHub repository.
+     * @throws FileNotFoundError if file doesn't exist (404)
+     * @throws Error for other failures
+     */
+    getFileContent(params: GetFileContentParams): Promise<FileContent>;
     /**
      * Gets a GitHub repository by owner and name.
      * @throws RepositoryNotFoundError if repository doesn't exist (404)
      * @throws Error for other failures
      */
     getRepository(owner: string, name: string): Promise<Repository>;
+    /**
+     * Updates a file in a GitHub repository.
+     * @throws Error if file update fails
+     */
+    updateFile(params: UpdateFileParams): Promise<void>;
 }
+export type UpdateFileParams = {
+    branch: string;
+    content: string;
+    message: string;
+    owner: string;
+    path: string;
+    repo: string;
+    sha: string;
+};
 type PullRequestBody = {
     base: string;
     body: string;
@@ -19,6 +61,9 @@ type PullRequestBody = {
     repo: string;
     title: string;
 };
+export declare class FileNotFoundError extends Error {
+    constructor(path: string);
+}
 export declare class PullRequest {
     readonly url: string;
     constructor(url: string);
@@ -35,4 +80,10 @@ export declare class Repository {
 export declare class RepositoryNotFoundError extends Error {
     constructor(owner: string, name: string);
 }
+export declare const githubAppCredentialsSchema: z.ZodObject<{
+    id: z.ZodString;
+    installationId: z.ZodString;
+    key: z.ZodString;
+}, z.core.$strip>;
+export type GitHubAppCredentials = z.infer<typeof githubAppCredentialsSchema>;
 export {};

package/dist/domain/github.js

@@ -1,3 +1,10 @@
+import { z } from "zod/v4";
+export class FileNotFoundError extends Error {
+    constructor(path) {
+        super(`File not found: ${path}`);
+        this.name = "FileNotFoundError";
+    }
+}
 export class PullRequest {
     url;
     constructor(url) {
@@ -30,3 +37,8 @@ export class RepositoryNotFoundError extends Error {
         this.name = "RepositoryNotFoundError";
     }
 }
+export const githubAppCredentialsSchema = z.object({
+    id: z.string().nonempty(),
+    installationId: z.string().nonempty(),
+    key: z.string().nonempty(),
+});

package/dist/index.js

@@ -7,10 +7,12 @@ import { makeValidationReporter } from "./adapters/logtape/validation-reporter.j
 import { makePackageJsonReader } from "./adapters/node/package-json.js";
 import { makeRepositoryReader } from "./adapters/node/repository.js";
 import { getGitHubPAT, OctokitGitHubService, } from "./adapters/octokit/index.js";
+import { makeAuthorizationService } from "./adapters/pagopa-technology/authorization.js";
 import { getConfig } from "./config.js";
 import { getInfo } from "./domain/info.js";
 import { applyCodemodById } from "./use-cases/apply-codemod.js";
 import { listCodemods } from "./use-cases/list-codemods.js";
+import { requestAuthorization } from "./use-cases/request-authorization.js";
 export const runCli = async (version) => {
     // Creating the adapters
     const repositoryReader = makeRepositoryReader();
@@ -22,7 +24,9 @@ export const runCli = async (version) => {
         auth,
     });
     const gitHubService = new OctokitGitHubService(octokit);
+    const authorizationService = makeAuthorizationService(gitHubService);
     const deps = {
+        authorizationService,
         gitHubService,
         packageJsonReader,
         repositoryReader,
@@ -32,6 +36,7 @@ export const runCli = async (version) => {
     const useCases = {
         applyCodemodById: applyCodemodById(codemodRegistry, getInfo(deps)),
         listCodemods: listCodemods(codemodRegistry),
+        requestAuthorization: requestAuthorization(authorizationService),
     };
     const program = makeCli(deps, config, useCases, version);
     program.parse();

package/dist/use-cases/__tests__/request-authorization.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for the requestAuthorization use case.
+ */
+export {};

package/dist/use-cases/__tests__/request-authorization.test.js

@@ -0,0 +1,40 @@
+/**
+ * Tests for the requestAuthorization use case.
+ */
+import { errAsync, okAsync } from "neverthrow";
+import { describe, expect, it } from "vitest";
+import { mock } from "vitest-mock-extended";
+import { AuthorizationError, AuthorizationResult, IdentityAlreadyExistsError, requestAuthorizationInputSchema, } from "../../domain/authorization.js";
+import { requestAuthorization } from "../request-authorization.js";
+const makeSampleInput = () => requestAuthorizationInputSchema.parse({
+    bootstrapIdentityId: "test-bootstrap-identity-id",
+    subscriptionName: "test-subscription",
+});
+describe("requestAuthorization", () => {
+    it("should return the authorization result on success", async () => {
+        const authorizationService = mock();
+        const input = makeSampleInput();
+        const expectedResult = new AuthorizationResult("https://github.com/pagopa/eng-azure-authorization/pull/42");
+        authorizationService.requestAuthorization.mockReturnValue(okAsync(expectedResult));
+        const result = await requestAuthorization(authorizationService)(input);
+        expect(result.isOk()).toBe(true);
+        expect(result._unsafeUnwrap().url).toBe("https://github.com/pagopa/eng-azure-authorization/pull/42");
+        expect(authorizationService.requestAuthorization).toHaveBeenCalledWith(input);
+    });
+    it("should propagate errors from the authorization service", async () => {
+        const authorizationService = mock();
+        const input = makeSampleInput();
+        authorizationService.requestAuthorization.mockReturnValue(errAsync(new IdentityAlreadyExistsError("test-bootstrap-identity-id")));
+        const result = await requestAuthorization(authorizationService)(input);
+        expect(result.isErr()).toBe(true);
+        expect(result._unsafeUnwrapErr()).toBeInstanceOf(IdentityAlreadyExistsError);
+    });
+    it("should propagate generic authorization errors", async () => {
+        const authorizationService = mock();
+        const input = makeSampleInput();
+        authorizationService.requestAuthorization.mockReturnValue(errAsync(new AuthorizationError("Something went wrong")));
+        const result = await requestAuthorization(authorizationService)(input);
+        expect(result.isErr()).toBe(true);
+        expect(result._unsafeUnwrapErr()).toBeInstanceOf(AuthorizationError);
+    });
+});

package/dist/use-cases/request-authorization.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Request Authorization Use Case
+ *
+ * Orchestrates an authorization request by delegating to the
+ * technology-agnostic AuthorizationService.
+ */
+import { ResultAsync } from "neverthrow";
+import { AuthorizationError, AuthorizationResult, AuthorizationService, RequestAuthorizationInput } from "../domain/authorization.js";
+/**
+ * Creates a function that requests authorization for a bootstrap identity.
+ *
+ * @param authorizationService - The service handling platform-specific authorization logic
+ * @returns A function that takes input and returns a ResultAsync with the authorization result
+ */
+export declare const requestAuthorization: (authorizationService: AuthorizationService) => (input: RequestAuthorizationInput) => ResultAsync<AuthorizationResult, AuthorizationError>;

package/dist/use-cases/request-authorization.js

@@ -0,0 +1,13 @@
+/**
+ * Request Authorization Use Case
+ *
+ * Orchestrates an authorization request by delegating to the
+ * technology-agnostic AuthorizationService.
+ */
+/**
+ * Creates a function that requests authorization for a bootstrap identity.
+ *
+ * @param authorizationService - The service handling platform-specific authorization logic
+ * @returns A function that takes input and returns a ResultAsync with the authorization result
+ */
+export const requestAuthorization = (authorizationService) => (input) => authorizationService.requestAuthorization(input);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.16.2",
+  "version": "0.18.0",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -22,7 +22,9 @@
   },
   "dependencies": {
     "@azure/arm-authorization": "^9.0.0",
+    "@azure/arm-keyvault": "^4.0.0",
     "@azure/arm-msi": "^2.2.0",
+    "@azure/keyvault-secrets": "^4.9.0",
     "@azure/arm-resourcegraph": "^4.2.1",
     "@azure/arm-resources": "^7.0.0",
     "@azure/arm-resources-subscriptions": "^2.1.0",

package/templates/environment/bootstrapper/{{env.name}}/main.tf.hbs

@@ -36,6 +36,7 @@ module "azure-{{displayName}}_bootstrap" {
       name                = data.azurerm_key_vault.common.name
       resource_group_name = data.azurerm_key_vault.common.resource_group_name
     }
+    use_github_app = true
   }
 
   apim_id                            = data.azurerm_api_management.apim.id
@@ -103,6 +104,7 @@ module "azure-{{displayName}}_bootstrap" {
       name                = module.azure-{{displayName}}_core_values.common_key_vault.name
       resource_group_name = module.azure-{{displayName}}_core_values.common_key_vault.resource_group_name
     }
+    use_github_app = true
   }
 
   pep_vnet_id                        = module.azure-{{displayName}}_core_values.common_vnet.id

package/templates/environment/bootstrapper/{{env.name}}/providers.tf.hbs

@@ -11,6 +11,11 @@ terraform {
       version = "~> 2.0"
     }
     {{/with}}
+
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
   }
 }
 
@@ -24,3 +29,7 @@ provider "azurerm" {
 }
 {{/each}}
 {{/with}}
+
+provider "github" {
+  owner = "{{github.owner}}"
+}

package/templates/environment/core/{{env.name}}/imports.tf.hbs

@@ -0,0 +1,34 @@
+{{#with cloudAccountsByCsp.azure}}
+
+{{#each this}}
+data "azurerm_resource_group" "azure-{{displayName}}_common" {
+  provider = azurerm.{{displayName}}
+  name = provider::dx::resource_name(merge(local.environment, {
+    resource_type = "resource_group",
+    name = "common"
+    instance_number = 1
+  }, local.azure_accounts.{{displayName}}))
+}
+
+import {
+  to = module.azure-{{displayName}}_core.azurerm_resource_group.common
+  id = data.azurerm_resource_group.azure-{{displayName}}_common.id
+}
+
+data "azurerm_key_vault" "azure-{{displayName}}_common" {
+  provider            = azurerm.{{displayName}}
+  name                = provider::dx::resource_name(merge(local.environment, {
+    resource_type = "key_vault"
+    name = "common"
+    instance_number = 1
+  }, local.azure_accounts.{{displayName}}))
+  resource_group_name = data.azurerm_resource_group.azure-{{displayName}}_common.name
+}
+
+import {
+  to = module.azure-{{displayName}}_core.module.key_vault.azurerm_key_vault.common
+  id = data.azurerm_key_vault.azure-{{displayName}}_common.id
+}
+
+{{/each}}
+{{/with}}

package/templates/environment/core/{{env.name}}/providers.tf.hbs

@@ -6,6 +6,10 @@ terraform {
       version = "~> 4.0"
     }
     {{/with}}
+    dx = {
+      source  = "pagopa-dx/azure"
+      version = "~> 0"
+    }
   }
 }