Persist inbound authentication signature

apps/orchestration/src/policy-engine/__test__/e2e/facade.spec.ts

@@ -205,6 +205,7 @@ describe('Policy Engine Cluster Facade', () => {
       message: 'Testing sign message request'
     }
     const authzRequest: AuthorizationRequest = {
+      authentication,
       id: '986ae19d-c30c-40c6-b873-1fb6c49011de',
       orgId: org.id,
       status: AuthorizationRequestStatus.PERMITTED,

apps/orchestration/src/policy-engine/core/type/domain.type.ts

@@ -19,11 +19,14 @@ export enum AuthorizationRequestStatus {
   FORBIDDEN = 'FORBIDDEN'
 }
 
-export type Approval = {
-  id: string
+export type Signature = {
   sig: string
   alg: string
   pubKey: string
+}
+
+export type Approval = Signature & {
+  id: string
   createdAt: Date
 }
 
@@ -47,6 +50,7 @@ export type SharedAuthorizationRequest = {
    */
   hash: string
   idempotencyKey?: string | null
+  authentication: Signature
   approvals: Approval[]
   evaluations: Evaluation[]
   createdAt: Date

apps/orchestration/src/policy-engine/http/rest/util.ts

@@ -1,6 +1,7 @@
 import {
   CreateApproval,
   CreateAuthorizationRequest,
+  Signature,
   SupportedAction
 } from '@app/orchestration/policy-engine/core/type/domain.type'
 import { AuthorizationRequestDto } from '@app/orchestration/policy-engine/http/rest/dto/authorization-request.dto'
@@ -15,12 +16,13 @@ export const toCreateAuthorizationRequest = (
 ): CreateAuthorizationRequest => {
   const dto = plainToInstance(AuthorizationRequestDto, body)
   const approvals: CreateApproval[] = dto.approvals
+  const authentication: Signature = dto.authentication
 
   const shared = {
     orgId,
-    initiatorId: '97389cac-20f0-4d02-a3a9-b27c564ffd18',
-    hash: dto.hash,
     approvals,
+    authentication,
+    hash: dto.hash,
     evaluations: []
   }
 

apps/orchestration/src/policy-engine/persistence/decode/__test__/unit/authorization-request.decode.spec.ts

@@ -10,6 +10,10 @@ describe('decodeAuthorizationRequest', () => {
     status: AuthorizationRequestStatus.CREATED,
     hash: 'test-request-hash',
     idempotencyKey: null,
+    authnSig:
+      '0xe24d097cea880a40f8be2cf42f497b9fbda5f9e4a31b596827e051d78dce75c032fa7e5ee3046f7c6f116e5b98cb8d268fa9b9d222ff44719e2ec2a0d9159d0d1c',
+    authnAlg: 'ES256K',
+    authnPubKey: '0xd75D626a116D4a1959fE3bB938B2e7c116A05890',
     evaluationLog: [],
     approvals: [],
     createdAt: new Date(),

apps/orchestration/src/policy-engine/persistence/decode/authorization-request.decode.ts

@@ -18,12 +18,17 @@ const buildEvaluation = ({ id, decision, signature, createdAt }: EvaluationLog):
   createdAt
 })
 
-const buildSharedAttributes = (model: Model) => ({
+const buildSharedAttributes = (model: Model): Omit<AuthorizationRequest, 'action' | 'request'> => ({
   id: model.id,
   orgId: model.orgId,
   status: model.status,
   hash: model.hash,
   idempotencyKey: model.idempotencyKey,
+  authentication: {
+    alg: model.authnAlg,
+    sig: model.authnSig,
+    pubKey: model.authnPubKey
+  },
   approvals: (model.approvals || []).map(omit('requestId')),
   evaluations: (model.evaluationLog || []).map(buildEvaluation),
   createdAt: model.createdAt,

apps/orchestration/src/policy-engine/persistence/repository/__test__/integration/authorization-request.repository.spec.ts

@@ -4,6 +4,7 @@ import {
   Evaluation,
   SignMessageAuthorizationRequest,
   SignTransactionAuthorizationRequest,
+  Signature,
   SupportedAction,
   isSignTransaction
 } from '@app/orchestration/policy-engine/core/type/domain.type'
@@ -27,7 +28,14 @@ describe(AuthorizationRequestRepository.name, () => {
     updatedAt: new Date()
   }
 
+  const authentication: Signature = {
+    sig: '0xe24d097cea880a40f8be2cf42f497b9fbda5f9e4a31b596827e051d78dce75c032fa7e5ee3046f7c6f116e5b98cb8d268fa9b9d222ff44719e2ec2a0d9159d0d1c',
+    alg: 'ES256K',
+    pubKey: '0xd75D626a116D4a1959fE3bB938B2e7c116A05890'
+  }
+
   const signMessageRequest: SignMessageAuthorizationRequest = {
+    authentication,
     id: '6c7e92fc-d2b0-4840-8e9b-485393ecdf89',
     orgId: org.id,
     status: AuthorizationRequestStatus.PROCESSING,
@@ -76,7 +84,12 @@ describe(AuthorizationRequestRepository.name, () => {
         }
       })
 
-      expect(request).toMatchObject(omit(['evaluations', 'approvals'], signMessageRequest))
+      expect(request).toMatchObject(omit(['evaluations', 'approvals', 'authentication'], signMessageRequest))
+      expect({
+        sig: request?.authnSig,
+        alg: request?.authnAlg,
+        pubKey: request?.authnPubKey
+      }).toEqual(authentication)
     })
 
     it('defaults status to CREATED', async () => {

apps/orchestration/src/policy-engine/persistence/repository/authorization-request.repository.ts

@@ -19,8 +19,20 @@ export class AuthorizationRequestRepository {
   constructor(private prismaService: PrismaService) {}
 
   async create(input: CreateAuthorizationRequest): Promise<AuthorizationRequest> {
-    const { id, action, request, orgId, hash, status, idempotencyKey, createdAt, updatedAt, evaluations, approvals } =
-      createAuthorizationRequestSchema.parse(this.getDefaults(input))
+    const {
+      id,
+      action,
+      request,
+      orgId,
+      hash,
+      status,
+      idempotencyKey,
+      createdAt,
+      updatedAt,
+      evaluations,
+      approvals,
+      authentication
+    } = createAuthorizationRequestSchema.parse(this.getDefaults(input))
     const evaluationLogs = this.toEvaluationLogs(orgId, evaluations)
 
     const model = await this.prismaService.authorizationRequest.create({
@@ -34,6 +46,9 @@ export class AuthorizationRequestRepository {
         idempotencyKey,
         createdAt,
         updatedAt,
+        authnAlg: authentication.alg,
+        authnSig: authentication.sig,
+        authnPubKey: authentication.pubKey,
         approvals: {
           createMany: {
             data: approvals

apps/orchestration/src/policy-engine/persistence/schema/authorization-request.schema.ts

@@ -10,11 +10,14 @@ import {
 import { AuthorizationRequestStatus } from '@prisma/client/orchestration'
 import { z } from 'zod'
 
-const approvalSchema = z.object({
-  id: z.string().uuid(),
+const signatureSchema = z.object({
   sig: z.string(),
   alg: z.string(),
-  pubKey: z.string(),
+  pubKey: z.string()
+})
+
+const approvalSchema = signatureSchema.extend({
+  id: z.string().uuid(),
   createdAt: z.date()
 })
 
@@ -30,6 +33,7 @@ const sharedAuthorizationRequestSchema = z.object({
   orgId: z.string().uuid(),
   status: z.nativeEnum(AuthorizationRequestStatus),
   hash: z.string(),
+  authentication: signatureSchema,
   idempotencyKey: z.string().nullish(),
   approvals: z.array(approvalSchema),
   evaluations: z.array(evaluationSchema),

apps/orchestration/src/policy-engine/queue/consumer/__test__/integration/authorization-request-processing.consumer.spec.ts

@@ -8,6 +8,7 @@ import {
   AuthorizationRequest,
   AuthorizationRequestProcessingJob,
   AuthorizationRequestStatus,
+  Signature,
   SupportedAction
 } from '@app/orchestration/policy-engine/core/type/domain.type'
 import { AuthorizationRequestRepository } from '@app/orchestration/policy-engine/persistence/repository/authorization-request.repository'
@@ -39,7 +40,14 @@ describe(AuthorizationRequestProcessingConsumer.name, () => {
     updatedAt: new Date()
   }
 
+  const authentication: Signature = {
+    sig: '0xe24d097cea880a40f8be2cf42f497b9fbda5f9e4a31b596827e051d78dce75c032fa7e5ee3046f7c6f116e5b98cb8d268fa9b9d222ff44719e2ec2a0d9159d0d1c',
+    alg: 'ES256K',
+    pubKey: '0xd75D626a116D4a1959fE3bB938B2e7c116A05890'
+  }
+
   const authzRequest: AuthorizationRequest = {
+    authentication,
     id: '6c7e92fc-d2b0-4840-8e9b-485393ecdf89',
     orgId: org.id,
     status: AuthorizationRequestStatus.PROCESSING,

apps/orchestration/src/policy-engine/queue/producer/__test__/integration/authorization-request-processing.producer.spec.ts

@@ -4,6 +4,7 @@ import {
   AuthorizationRequest,
   AuthorizationRequestProcessingJob,
   AuthorizationRequestStatus,
+  Signature,
   SupportedAction
 } from '@app/orchestration/policy-engine/core/type/domain.type'
 import { AuthorizationRequestRepository } from '@app/orchestration/policy-engine/persistence/repository/authorization-request.repository'
@@ -25,7 +26,14 @@ describe(AuthorizationRequestProcessingProducer.name, () => {
   let producer: AuthorizationRequestProcessingProducer
   let testPrismaService: TestPrismaService
 
+  const authentication: Signature = {
+    sig: '0xe24d097cea880a40f8be2cf42f497b9fbda5f9e4a31b596827e051d78dce75c032fa7e5ee3046f7c6f116e5b98cb8d268fa9b9d222ff44719e2ec2a0d9159d0d1c',
+    alg: 'ES256K',
+    pubKey: '0xd75D626a116D4a1959fE3bB938B2e7c116A05890'
+  }
+
   const authzRequest: AuthorizationRequest = {
+    authentication,
     id: '6c7e92fc-d2b0-4840-8e9b-485393ecdf89',
     orgId: 'ac1374c2-fd62-4b6e-bd49-a4afcdcb91cc',
     status: AuthorizationRequestStatus.CREATED,

apps/orchestration/src/shared/module/persistence/schema/migrations/20240118174652_init/migration.sql → apps/orchestration/src/shared/module/persistence/schema/migrations/20240119130400_init/migration.sql

@@ -23,6 +23,9 @@ CREATE TABLE "authorization_request" (
     "hash" TEXT NOT NULL,
     "request" JSONB NOT NULL,
     "idempotency_key" TEXT,
+    "authn_sig" TEXT NOT NULL,
+    "authn_alg" TEXT NOT NULL,
+    "authn_pub_key" TEXT NOT NULL,
     "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
 

apps/orchestration/src/shared/module/persistence/schema/schema.prisma

@@ -44,6 +44,9 @@ model AuthorizationRequest {
   hash           String
   request        Json
   idempotencyKey String?                    @unique @map("idempotency_key")
+  authnSig       String                     @map("authn_sig")
+  authnAlg       String                     @map("authn_alg")
+  authnPubKey    String                     @map("authn_pub_key")
   createdAt      DateTime                   @default(now()) @map("created_at")
   updatedAt      DateTime                   @default(now()) @updatedAt @map("updated_at")