@platform-mesh/portal-server-lib 0.0.0 → 0.5.3

package/src/portal-options/auth-config-provider.ts

@@ -0,0 +1,82 @@
+import { getDiscoveryEndpoint, getOrganization } from './utils/domain.js';
+import { CoreV1Api, KubeConfig } from '@kubernetes/client-node';
+import { HttpException, HttpStatus, Injectable } from '@nestjs/common';
+import {
+  AuthConfigService,
+  DiscoveryService,
+  ServerAuthVariables,
+} from '@openmfp/portal-server-lib';
+import type { Request } from 'express';
+
+@Injectable()
+export class PMAuthConfigProvider implements AuthConfigService {
+  private k8sApi: CoreV1Api;
+
+  constructor(private discoveryService: DiscoveryService) {
+    const kc = new KubeConfig();
+    kc.loadFromDefault();
+    this.k8sApi = kc.makeApiClient(CoreV1Api);
+  }
+
+  async getAuthConfig(request: Request): Promise<ServerAuthVariables> {
+    const oidcUrl = getDiscoveryEndpoint(request);
+    const clientId = getOrganization(request);
+
+    const baseDomain = process.env['BASE_DOMAINS_DEFAULT'];
+    const clientSecret = await this.getClientSecret(clientId);
+    const oidc = await this.discoveryService.getOIDC(oidcUrl);
+    const oauthServerUrl =
+      oidc?.authorization_endpoint ?? process.env['AUTH_SERVER_URL_DEFAULT'];
+    const oauthTokenUrl =
+      oidc?.token_endpoint ?? process.env['TOKEN_URL_DEFAULT'];
+
+    if (!oauthServerUrl || !oauthTokenUrl || !clientId || !clientSecret) {
+      const hasClientSecret = !!clientSecret;
+      throw new HttpException(
+        {
+          message: 'Default auth configuration incomplete.',
+          error: `The default properly configured. oauthServerUrl: '${oauthServerUrl}' oauthTokenUrl: '${oauthTokenUrl}' clientId: '${clientId}', has client secret: ${String(
+            hasClientSecret,
+          )}`,
+          statusCode: HttpStatus.NOT_FOUND,
+        },
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    return {
+      idpName: clientId,
+      baseDomain,
+      clientId,
+      clientSecret,
+      oauthServerUrl,
+      oauthTokenUrl,
+      oidcIssuerUrl: oidc?.issuer,
+      endSessionUrl: oidc?.end_session_endpoint,
+    };
+  }
+
+  private async getClientSecret(orgName: string) {
+    const secretName = `portal-client-secret-${orgName}`;
+    const namespace = 'platform-mesh-system';
+
+    try {
+      const res = await this.k8sApi.readNamespacedSecret({
+        namespace,
+        name: secretName,
+      });
+      const secretData = res.data;
+
+      return Buffer.from(
+        secretData['attribute.client_secret'],
+        'base64',
+      ).toString('utf-8');
+    } catch (err) {
+      console.error(
+        `Failed to fetch secret ${secretName}:`,
+        err.response?.body || err,
+      );
+      throw err;
+    }
+  }
+}

package/src/portal-options/index.ts

@@ -0,0 +1,11 @@
+export * from './account-entity-context-provider.service.js';
+export * from './pm-portal-context.service.js';
+export * from './pm-request-context-provider.js';
+export * from './auth-config-provider.js';
+export * from './service-providers/content-configuration-service-providers.service.js';
+export * from './service-providers/kubernetes-service-providers.service.js';
+export * from './auth-callback-provider.js';
+export * from './logout-callback.service.js';
+
+export * from './services/kcp-k8s.service.js';
+export * from './services/iam-graphql.service.js';

package/src/portal-options/logout-callback.service.spec.ts

@@ -0,0 +1,113 @@
+import { PMLogoutService } from './logout-callback.service.js';
+import { HttpService } from '@nestjs/axios';
+import { Test, TestingModule } from '@nestjs/testing';
+import {
+  AUTH_CONFIG_INJECTION_TOKEN,
+  AuthConfigService,
+  CookiesService,
+} from '@openmfp/portal-server-lib';
+import { Request, Response } from 'express';
+import { of, throwError } from 'rxjs';
+
+describe('PMLogoutService', () => {
+  let service: PMLogoutService;
+  let httpService: HttpService;
+  let authConfigService: AuthConfigService;
+  let cookiesService: CookiesService;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        PMLogoutService,
+        {
+          provide: HttpService,
+          useValue: { post: jest.fn() },
+        },
+        {
+          provide: AUTH_CONFIG_INJECTION_TOKEN,
+          useValue: { getAuthConfig: jest.fn() },
+        },
+        {
+          provide: CookiesService,
+          useValue: { getAuthCookie: jest.fn() },
+        },
+        {
+          provide: 'AUTH_CONFIG_INJECTION_TOKEN',
+          useValue: {},
+        },
+      ],
+    }).compile();
+
+    service = module.get(PMLogoutService);
+    httpService = module.get(HttpService);
+    authConfigService = module.get(AUTH_CONFIG_INJECTION_TOKEN);
+    cookiesService = module.get(CookiesService);
+  });
+
+  it('should call endSessionUrl with refresh token', async () => {
+    const mockRequest = {} as Request;
+    const mockResponse = {} as Response;
+
+    (authConfigService.getAuthConfig as jest.Mock).mockResolvedValue({
+      clientId: 'client-id',
+      clientSecret: 'secret',
+      endSessionUrl: 'https://keycloak/logout',
+    });
+    (cookiesService.getAuthCookie as jest.Mock).mockReturnValue(
+      'refresh-token',
+    );
+    (httpService.post as jest.Mock).mockReturnValue(of({ data: {} }));
+
+    await service.handleLogout(mockRequest, mockResponse);
+
+    expect(httpService.post).toHaveBeenCalledWith(
+      'https://keycloak/logout',
+      expect.any(URLSearchParams),
+      { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } },
+    );
+  });
+
+  it('should return logoutWithIdToken URL when logout fails', async () => {
+    const mockRequest = {
+      query: {
+        id_token_hint: 'idtoken',
+        post_logout_redirect_uri: 'https://redirect.com',
+      },
+    } as unknown as Request;
+    const mockResponse = {} as Response;
+
+    (authConfigService.getAuthConfig as jest.Mock).mockResolvedValue({
+      clientId: 'client-id',
+      clientSecret: 'secret',
+      endSessionUrl: 'https://keycloak/logout',
+    });
+    (cookiesService.getAuthCookie as jest.Mock).mockReturnValue(
+      'refresh-token',
+    );
+    (httpService.post as jest.Mock).mockReturnValue(
+      throwError(() => new Error('Network error')),
+    );
+
+    const result = await service.handleLogout(mockRequest, mockResponse);
+
+    expect(result).toBe(
+      'https://keycloak/logout?id_token_hint=idtoken&post_logout_redirect_uri=https%3A%2F%2Fredirect.com',
+    );
+  });
+
+  it('logoutWithIdToken should return valid URL', () => {
+    const request = {
+      query: {
+        id_token_hint: 'token123',
+        post_logout_redirect_uri: 'https://example.com',
+      },
+    } as unknown as Request;
+    const result = (service as any).logoutWithIdToken(
+      request,
+      'https://kc/logout',
+    );
+    expect(result).toBe(
+      'https://kc/logout?id_token_hint=token123&post_logout_redirect_uri=https%3A%2F%2Fexample.com',
+    );
+  });
+});

package/src/portal-options/logout-callback.service.ts

@@ -0,0 +1,60 @@
+import { HttpService } from '@nestjs/axios';
+import { Inject, Injectable, Logger } from '@nestjs/common';
+import {
+  AUTH_CONFIG_INJECTION_TOKEN,
+  AuthConfigService,
+  CookiesService,
+  LogoutCallback,
+} from '@openmfp/portal-server-lib';
+import { Request, Response } from 'express';
+import { firstValueFrom } from 'rxjs';
+
+@Injectable()
+export class PMLogoutService implements LogoutCallback {
+  private logger: Logger = new Logger(PMLogoutService.name);
+
+  constructor(
+    @Inject(AUTH_CONFIG_INJECTION_TOKEN)
+    private authConfigService: AuthConfigService,
+    private httpService: HttpService,
+    private cookiesService: CookiesService,
+  ) {}
+
+  public async handleLogout(
+    request: Request,
+    response: Response,
+  ): Promise<void | string> {
+    const authConfig = await this.authConfigService.getAuthConfig(request);
+    try {
+      const refreshToken = this.cookiesService.getAuthCookie(request);
+
+      const body = new URLSearchParams({
+        client_id: authConfig.clientId,
+        client_secret: authConfig.clientSecret,
+        refresh_token: refreshToken,
+      });
+
+      await firstValueFrom(
+        this.httpService.post(authConfig.endSessionUrl, body, {
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        }),
+      );
+    } catch (error: any) {
+      this.logger.error(
+        'Error during keycloak logout',
+        error?.response?.data || error.message,
+      );
+      this.logger.warn('Trying to log out with the id token');
+      return this.logoutWithIdToken(request, authConfig.endSessionUrl);
+    }
+  }
+
+  private logoutWithIdToken(request: Request, endSessionUrl: string) {
+    const { id_token_hint, post_logout_redirect_uri } = request.query;
+    const params = new URLSearchParams({
+      id_token_hint: String(id_token_hint || ''),
+      post_logout_redirect_uri: String(post_logout_redirect_uri || ''),
+    });
+    return `${endSessionUrl}?${params}`;
+  }
+}

package/src/portal-options/models/luigi-context.ts

@@ -0,0 +1,4 @@
+export interface PortalContext extends Record<string, any> {
+  crdGatewayApiUrl?: string;
+  iamServiceApiUrl?: string;
+}

package/src/portal-options/pm-portal-context.service.spec.ts

@@ -0,0 +1,155 @@
+import { PMPortalContextService } from './pm-portal-context.service.js';
+import { KcpKubernetesService } from './services/kcp-k8s.service.js';
+import { getOrganization } from './utils/domain.js';
+import { Test, TestingModule } from '@nestjs/testing';
+import { Request } from 'express';
+import { mock } from 'jest-mock-extended';
+import process from 'node:process';
+
+jest.mock('@kubernetes/client-node', () => {
+  class KubeConfig {
+    loadFromDefault = jest.fn();
+    loadFromFile = jest.fn();
+    getCurrentCluster = jest.fn().mockReturnValue({
+      server: 'https://k8s.example.com/base',
+      name: 'test-cluster',
+    });
+    makeApiClient = jest.fn();
+    addUser = jest.fn();
+    addContext = jest.fn();
+    setCurrentContext = jest.fn();
+  }
+  class CustomObjectsApi {}
+  return { KubeConfig, CustomObjectsApi };
+});
+
+jest.mock('./utils/domain.js', () => ({
+  getOrganization: jest.fn(),
+}));
+
+describe('PMPortalContextService', () => {
+  let service: PMPortalContextService;
+  let kcpKubernetesServiceMock: jest.Mocked<KcpKubernetesService>;
+  const mockedGetDomainAndOrganization = jest.mocked(getOrganization);
+  let mockRequest: any;
+
+  beforeEach(async () => {
+    kcpKubernetesServiceMock = mock();
+
+    mockedGetDomainAndOrganization.mockReturnValue('test-org');
+
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        PMPortalContextService,
+        { provide: KcpKubernetesService, useValue: kcpKubernetesServiceMock },
+      ],
+    }).compile();
+
+    service = module.get<PMPortalContextService>(PMPortalContextService);
+    mockRequest = {
+      hostname: 'test.example.com',
+    };
+
+    jest.spyOn(console, 'log').mockImplementation();
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it('should be defined', () => {
+    expect(service).toBeDefined();
+  });
+
+  it('should return context with kcp workspace url', async () => {
+    kcpKubernetesServiceMock.getKcpWorkspacePublicUrl.mockReturnValue(
+      'https://kcp.api.example.com/',
+    );
+
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      {},
+    );
+
+    expect(result).toEqual({
+      kcpWorkspaceUrl: 'https://kcp.api.example.com/',
+    });
+  });
+
+  it('should return empty context when no environment variables match prefix', async () => {
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      {},
+    );
+
+    expect(result).toEqual({});
+  });
+
+  it('should process GraphQL gateway API URL with subdomain when hostname differs from domain', async () => {
+    mockedGetDomainAndOrganization.mockReturnValue('test-org');
+
+    mockRequest.hostname = 'subdomain.example.com';
+
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      {
+        crdGatewayApiUrl:
+          'https://${org-subdomain}api.example.com/${org-name}/graphql',
+      },
+    );
+
+    expect(result.crdGatewayApiUrl).toBe(
+      'https://test-org.api.example.com/test-org/graphql',
+    );
+  });
+
+  it('should process GraphQL IAM API URL with subdomain', async () => {
+    mockedGetDomainAndOrganization.mockReturnValue('test-org');
+
+    mockRequest.hostname = 'example.com';
+
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      { iamServiceApiUrl: 'https://${org-subdomain}example.com/iam/graphql' },
+    );
+
+    expect(result.iamServiceApiUrl).toBe(
+      'https://test-org.example.com/iam/graphql',
+    );
+  });
+
+  it('should process GraphQL gateway API URL without subdomain when hostname matches domain', async () => {
+    mockedGetDomainAndOrganization.mockReturnValue('test-org');
+    process.env['BASE_DOMAINS_DEFAULT'] = 'example.com';
+    mockRequest.hostname = 'example.com';
+
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      {
+        crdGatewayApiUrl:
+          'https://${org-subdomain}api.example.com/${org-name}/graphql',
+      },
+    );
+
+    expect(result.crdGatewayApiUrl).toBe(
+      'https://api.example.com/test-org/graphql',
+    );
+  });
+
+  it('should handle undefined crdGatewayApiUrl gracefully', async () => {
+    const result = await service.getContextValues(
+      mockRequest as Request,
+      new Response(),
+      { otherKey: 'value' },
+    );
+
+    expect(result).toEqual({
+      otherKey: 'value',
+    });
+  });
+});

package/src/portal-options/pm-portal-context.service.ts

@@ -0,0 +1,63 @@
+import { PortalContext } from './models/luigi-context.js';
+import { KcpKubernetesService } from './services/kcp-k8s.service.js';
+import { getOrganization } from './utils/domain.js';
+import { Injectable } from '@nestjs/common';
+import { PortalContextProvider } from '@openmfp/portal-server-lib';
+import type { Request, Response } from 'express';
+import process from 'node:process';
+
+@Injectable()
+export class PMPortalContextService implements PortalContextProvider {
+  constructor(private kcpKubernetesService: KcpKubernetesService) {}
+
+  async getContextValues(
+    request: Request,
+    response: Response,
+    portalContext: PortalContext,
+  ): Promise<PortalContext> {
+    this.processDynamicApiUrls(request, portalContext);
+    this.addKcpWorkspaceUrl(request, portalContext);
+
+    return portalContext;
+  }
+
+  private addKcpWorkspaceUrl(
+    request: Request,
+    portalContext: PortalContext,
+  ) {
+    const organization = getOrganization(request);
+    const account = request.query?.['core_platform-mesh_io_account'];
+
+    portalContext.kcpWorkspaceUrl =
+      this.kcpKubernetesService.getKcpWorkspacePublicUrl(organization, account);
+  }
+
+  private processDynamicApiUrls(
+    request: Request,
+    portalContext: PortalContext,
+  ): void {
+    const org = getOrganization(request);
+    const baseDomain = process.env['BASE_DOMAINS_DEFAULT'];
+    const subDomain = request.hostname !== baseDomain ? `${org}.` : '';
+
+    const replacements = {
+      '${org-subdomain}': subDomain,
+      '${org-name}': org,
+    };
+
+    const replacePlaceholders = (url?: string) =>
+      url
+        ? Object.entries(replacements).reduce(
+            (acc, [key, value]) => acc.replace(key, value),
+            url,
+          )
+        : url;
+
+    portalContext.crdGatewayApiUrl = replacePlaceholders(
+      portalContext.crdGatewayApiUrl,
+    );
+    portalContext.iamServiceApiUrl = replacePlaceholders(
+      portalContext.iamServiceApiUrl,
+    );
+  }
+}

package/src/portal-options/pm-request-context-provider.spec.ts

@@ -0,0 +1,69 @@
+import { PMRequestContextProvider } from './pm-request-context-provider.js';
+import { getOrganization } from './utils/domain.js';
+import { PortalContextProviderImpl } from '@openmfp/portal-server-lib';
+import type { Request } from 'express';
+import { mock } from 'jest-mock-extended';
+
+jest.mock('@kubernetes/client-node', () => {
+  class KubeConfig {
+    loadFromDefault = jest.fn();
+    loadFromFile = jest.fn();
+    getCurrentCluster = jest.fn().mockReturnValue({
+      server: 'https://k8s.example.com/base',
+      name: 'test-cluster',
+    });
+    makeApiClient = jest.fn();
+    addUser = jest.fn();
+    addContext = jest.fn();
+    setCurrentContext = jest.fn();
+  }
+  class CustomObjectsApi {}
+  return { KubeConfig, CustomObjectsApi };
+});
+
+jest.mock('./utils/domain.js', () => ({
+  getOrganization: jest.fn(),
+}));
+
+describe('PMRequestContextProvider', () => {
+  let provider: PMRequestContextProvider;
+  const portalContextService = mock<PortalContextProviderImpl>();
+  const mockedGetOrganization = jest.mocked(getOrganization);
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+    mockedGetOrganization.mockReturnValue('org1');
+    (
+      portalContextService.getContextValues as unknown as jest.Mock
+    ).mockResolvedValue({
+      crdGatewayApiUrl: 'http://gateway/graphql',
+      other: 'x',
+    });
+
+    provider = new PMRequestContextProvider(portalContextService);
+  });
+
+  it('should merge request query, portal context and organization from envService', async () => {
+    const req = {
+      query: { account: 'acc-123', extra: '1' },
+      hostname: 'org1.example.com',
+    } as unknown as Request;
+    const res = new Response();
+
+    const result = await provider.getContextValues(req, res);
+
+    expect(result).toMatchObject({
+      account: 'acc-123',
+      extra: '1',
+      crdGatewayApiUrl: 'http://gateway/graphql',
+      other: 'x',
+      organization: 'org1',
+    });
+
+    expect(mockedGetOrganization).toHaveBeenCalledWith(req);
+    expect(portalContextService.getContextValues).toHaveBeenCalledWith(
+      req,
+      res,
+    );
+  });
+});

package/src/portal-options/pm-request-context-provider.ts

@@ -0,0 +1,33 @@
+import { getOrganization } from './utils/domain.js';
+import { Injectable } from '@nestjs/common';
+import {
+  PortalContextProviderImpl,
+  RequestContextProvider,
+} from '@openmfp/portal-server-lib';
+import type { Request, Response } from 'express';
+
+export interface RequestContext extends Record<string, any> {
+  account?: string;
+  organization: string;
+  crdGatewayApiUrl?: string;
+  isSubDomain: boolean;
+}
+
+@Injectable()
+export class PMRequestContextProvider implements RequestContextProvider {
+  constructor(private portalContextService: PortalContextProviderImpl) {}
+
+  async getContextValues(
+    request: Request,
+    response: Response,
+  ): Promise<RequestContext> {
+    const organization = getOrganization(request);
+    const baseDomain = process.env['BASE_DOMAINS_DEFAULT'];
+    return {
+      ...request.query,
+      ...(await this.portalContextService.getContextValues(request, response)),
+      organization,
+      isSubDomain: request.hostname !== baseDomain,
+    };
+  }
+}