From b1048af272e7f33fae3c68dc854d40f9be7a4e84 Mon Sep 17 00:00:00 2001
From: Michal Bajer <michal.bajer@fujitsu.com>
Date: Mon, 16 Oct 2023 11:48:39 +0000
Subject: [PATCH] feat(cactus-plugin-ledger-connector-cdl-socketio): separate
 endpoint for subscription key

- Add separate configurations for endpoints supporting access token
    and subscription key separately.
- This is required by current public instance of CDL.

Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
---
 .../README.md                                 |  9 +--
 .../sample-config/default.yaml                |  5 ++
 .../main/typescript/connector/cdl-request.ts  | 60 ++++++++++++++-----
 .../main/typescript/connector/type-defs.ts    |  8 ++-
 4 files changed, 60 insertions(+), 22 deletions(-)

diff --git a/packages/cactus-plugin-ledger-connector-cdl-socketio/README.md b/packages/cactus-plugin-ledger-connector-cdl-socketio/README.md
index b76e7575dc..4aff23a30f 100644
--- a/packages/cactus-plugin-ledger-connector-cdl-socketio/README.md
+++ b/packages/cactus-plugin-ledger-connector-cdl-socketio/README.md
@@ -36,12 +36,13 @@ This plugin provides `Cacti` a way to interact with Fujitsu CDL networks. Using
 
 #### Configuring CDL API Gateway Access
 
-- Set the base URL of GW service in `cdlApiGateway.url` (example: `"http://localhost:3000"`).
+- Set the base URL of GW service in `cdlApiGateway.url` (when using JWT access token - DEFAULT) and/or `cdlApiSubscriptionGateway.url` (when using subscription-key)
+  - Example: `"http://localhost:3000"`
 - If the service certificate is signed with a known CA (node uses Mozilla DB), then you can skip the next steps.
 - If the service is signed with unknown CA, you can specify the gateway certificate to trust manually:
-  - Set `cdlApiGateway.caPath` to path of API Gateway certificate (in PEM format). (example: `"/etc/cactus/connector-cdl-socketio/CA/cdl-api-gateway-ca.pem"`)
-  - (optional) If server name in cert doesn't match the one in `cdlApiGateway.url`, you can overwrite it in `cdlApiGateway.serverName`
-- (not recommended - only for development): To ignore certificate rejection (e.g. use self-signed certificate) set `cdlApiGateway.skipCertCheck` to `true`.
+  - Set `cdlApiGateway.caPath`/`cdlApiSubscriptionGateway.caPath` to path of API Gateway certificate (in PEM format). (example: `"/etc/cactus/connector-cdl-socketio/CA/cdl-api-gateway-ca.pem"`)
+  - (optional) If server name in cert doesn't match the one in `url`, you can overwrite it in `cdlApiGateway.serverName`/`cdlApiSubscriptionGateway.serverName`
+- (not recommended - only for development): To ignore certificate rejection (e.g. use self-signed certificate) set `cdlApiGateway.skipCertCheck`/`cdlApiSubscriptionGateway.skipCertCheck` to `true`.
 
 ### Docker
 
diff --git a/packages/cactus-plugin-ledger-connector-cdl-socketio/sample-config/default.yaml b/packages/cactus-plugin-ledger-connector-cdl-socketio/sample-config/default.yaml
index 15a82aa28d..3224f5220a 100644
--- a/packages/cactus-plugin-ledger-connector-cdl-socketio/sample-config/default.yaml
+++ b/packages/cactus-plugin-ledger-connector-cdl-socketio/sample-config/default.yaml
@@ -9,3 +9,8 @@ cdlApiGateway:
     #skipCertCheck: true # Set to true to ignore self-signed and other rejected certificates
     #caPath: "/etc/cactus/connector-cdl-socketio/CA/cdl-api-gateway-ca.pem" # CA of CDL API gateway server in PEM format to use
     #serverName: "cdl.fujitsu" # Overwrite server name from cdlApiGateway.url to match one specified in CA
+cdlApiSubscriptionGateway:
+    url: "http://localhost:3000"
+    #skipCertCheck: true # Set to true to ignore self-signed and other rejected certificates
+    #caPath: "/etc/cactus/connector-cdl-socketio/CA/cdl-api-gateway-ca.pem" # CA of CDL API gateway server in PEM format to use
+    #serverName: "cdl.fujitsu" # Overwrite server name from cdlApiGateway.url to match one specified in CA
diff --git a/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/cdl-request.ts b/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/cdl-request.ts
index 63d110139e..c9c6085687 100644
--- a/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/cdl-request.ts
+++ b/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/cdl-request.ts
@@ -1,5 +1,10 @@
 import {
   AuthInfoArgsType,
+  HTTP_HEADER_SUBSCRIPTION_KEY,
+  HTTP_HEADER_TRUST_USER_ID,
+  HTTP_HEADER_TRUST_USER_ROLE,
+  HTTP_HEADER_TRUST_AGENT_ID,
+  HTTP_HEADER_TRUST_AGENT_ROLE,
   isAuthInfoAccessTokenArgsType,
   isAuthInfoSubscriptionKeyArgsType,
 } from "./type-defs";
@@ -13,11 +18,15 @@ import { readFileSync } from "fs";
 const logger = getLogger("cdl-request[" + process.pid + "]");
 logger.level = configRead("logLevel", "info");
 
-function getHttpsAgent() {
+type HTTPAuthHeadersType = Record<string, string | number | boolean>;
+
+function createHttpsGatewayConfig(
+  gatewayKey: "cdlApiGateway" | "cdlApiSubscriptionGateway",
+) {
   const agentOptions: https.AgentOptions = {};
 
   const skipCertCheck = configRead<boolean>(
-    "cdlApiGateway.skipCertCheck",
+    `${gatewayKey}.skipCertCheck`,
     false,
   );
   if (skipCertCheck) {
@@ -27,7 +36,7 @@ function getHttpsAgent() {
     agentOptions.rejectUnauthorized = !skipCertCheck;
   }
 
-  const caPath = configRead<string>("cdlApiGateway.caPath", "");
+  const caPath = configRead<string>(`${gatewayKey}.caPath`, "");
   if (caPath) {
     logger.info(`Using CDL API GW CA ${caPath}`);
     const gatewayCAString = readFileSync(caPath, "ascii");
@@ -35,16 +44,32 @@ function getHttpsAgent() {
     agentOptions.ca = gatewayCAString;
   }
 
-  const serverName = configRead<string>("cdlApiGateway.serverName", "");
+  const serverName = configRead<string>(`${gatewayKey}.serverName`, "");
   if (serverName) {
     logger.info(`Overwrite CDL API GW server name with '${serverName}'`);
     agentOptions.servername = serverName;
   }
 
-  return new https.Agent(agentOptions);
+  return {
+    baseURL: configRead<string>(`${gatewayKey}.url`),
+    httpsAgent: new https.Agent(agentOptions),
+  };
 }
 
-const COMMON_HTTPS_AGENT = getHttpsAgent();
+const API_GATEWAY_CONFIG = createHttpsGatewayConfig("cdlApiGateway");
+const API_SUBSCRIPTION_GATEWAY_CONFIG = createHttpsGatewayConfig(
+  "cdlApiSubscriptionGateway",
+);
+
+function getHttpsGatewayConfigForHeaders(headers: HTTPAuthHeadersType) {
+  if (HTTP_HEADER_SUBSCRIPTION_KEY in headers) {
+    logger.debug("Using subscription key gateway for this request");
+    return API_SUBSCRIPTION_GATEWAY_CONFIG;
+  }
+
+  logger.debug("Using access token gateway for this request");
+  return API_GATEWAY_CONFIG;
+}
 
 export async function cdlRequest(
   url: string,
@@ -59,17 +84,20 @@ export async function cdlRequest(
 
   logger.debug(`cdlRequest ${httpMethod} ${url} executed`);
 
+  const authHeaders = getAuthorizationHeaders(authInfo);
+  const { httpsAgent, baseURL } = getHttpsGatewayConfigForHeaders(authHeaders);
+
   try {
     const requestResponse = await axios({
-      httpsAgent: COMMON_HTTPS_AGENT,
+      httpsAgent,
       method: httpMethod,
-      baseURL: configRead<string>("cdlApiGateway.url"),
+      baseURL,
       url,
       responseType: "json",
       headers: {
         "User-Agent": configRead<string>("userAgent", "CactiCDLConnector"),
         "Content-Type": "application/json;charset=UTF-8",
-        ...getAuthorizationHeaders(authInfo),
+        ...authHeaders,
       },
       params: queryParams,
       data: dataPayload,
@@ -87,7 +115,7 @@ export async function cdlRequest(
 
 function getAuthorizationHeaders(
   authInfo: AuthInfoArgsType,
-): Record<string, string | number | boolean> {
+): HTTPAuthHeadersType {
   if (
     isAuthInfoAccessTokenArgsType(authInfo) &&
     isAuthInfoSubscriptionKeyArgsType(authInfo)
@@ -100,15 +128,15 @@ function getAuthorizationHeaders(
   if (isAuthInfoAccessTokenArgsType(authInfo)) {
     return {
       Authorization: `Bearer ${authInfo.accessToken}`,
-      "Trust-Agent-Id": authInfo.trustAgentId,
+      [HTTP_HEADER_TRUST_AGENT_ID]: authInfo.trustAgentId,
     };
   } else if (isAuthInfoSubscriptionKeyArgsType(authInfo)) {
     return {
-      "Ocp-Apim-Subscription-Key": authInfo.subscriptionKey,
-      "Trust-User-Id": authInfo.trustUserId,
-      "Trust-User-Role": authInfo.trustUserRole,
-      "Trust-Agent-Id": authInfo.trustAgentId,
-      "Trust-Agent-Role": authInfo.trustAgentRole,
+      [HTTP_HEADER_SUBSCRIPTION_KEY]: authInfo.subscriptionKey,
+      [HTTP_HEADER_TRUST_USER_ID]: authInfo.trustUserId,
+      [HTTP_HEADER_TRUST_USER_ROLE]: authInfo.trustUserRole,
+      [HTTP_HEADER_TRUST_AGENT_ID]: authInfo.trustAgentId,
+      [HTTP_HEADER_TRUST_AGENT_ROLE]: authInfo.trustAgentRole,
     };
   } else {
     throw new Error(
diff --git a/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/type-defs.ts b/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/type-defs.ts
index 121bb81021..111c2f6bf0 100644
--- a/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/type-defs.ts
+++ b/packages/cactus-plugin-ledger-connector-cdl-socketio/src/main/typescript/connector/type-defs.ts
@@ -1,5 +1,3 @@
-import { type } from "os";
-
 export type SupportedFunctions =
   | "registerHistoryData"
   | "getLineage"
@@ -57,3 +55,9 @@ export type FunctionArgsType = {
   args: any;
   reqID?: string;
 };
+
+export const HTTP_HEADER_SUBSCRIPTION_KEY = "Ocp-Apim-Subscription-Key";
+export const HTTP_HEADER_TRUST_USER_ID = "Trust-User-Id";
+export const HTTP_HEADER_TRUST_USER_ROLE = "Trust-User-Role";
+export const HTTP_HEADER_TRUST_AGENT_ID = "Trust-Agent-Id";
+export const HTTP_HEADER_TRUST_AGENT_ROLE = "Trust-Agent-Role";