credebl
diff --git a/‎.env.sample‎
Lines changed: 7 additions & 0 deletions b/‎.env.sample‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/continuous-delivery.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/continuous-delivery.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfiles/Dockerfile.ecosystem‎
Lines changed: 44 additions & 0 deletions b/‎Dockerfiles/Dockerfile.ecosystem‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎apps/api-gateway/src/app.module.ts‎
Lines changed: 22 additions & 17 deletions b/‎apps/api-gateway/src/app.module.ts‎
Lines changed: 22 additions & 17 deletions
diff --git a/‎apps/api-gateway/src/authz/authz.module.ts‎
Lines changed: 2 additions & 0 deletions b/‎apps/api-gateway/src/authz/authz.module.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎apps/api-gateway/src/authz/guards/ecosystem-feature-guard.ts‎
Lines changed: 20 additions & 0 deletions b/‎apps/api-gateway/src/authz/guards/ecosystem-feature-guard.ts‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts‎
Lines changed: 117 additions & 0 deletions b/‎apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎apps/api-gateway/src/authz/guards/ecosystem-swagger.filter.ts‎
Lines changed: 34 additions & 0 deletions b/‎apps/api-gateway/src/authz/guards/ecosystem-swagger.filter.ts‎
Lines changed: 34 additions & 0 deletions
@@ -118,6 +118,7 @@ AGENT_SERVICE_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for agent s
 VERIFICATION_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for verification service
 ISSUANCE_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for issuance service
 CONNECTION_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for connection service
+ECOSYSTEM_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for ecosystem service
 CREDENTAILDEFINITION_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for credential-definition service
 SCHEMA_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for schema service
 UTILITIES_NKEY_SEED=xxxxxxxxxxxxx // Please provide Nkeys secret for utilities service
@@ -203,6 +204,12 @@ CLUSTER_NAME=CREDO-CONTROLLER-CLUSTER  # ECS cluster name for credo controller
 TASKDEFINITION_FAMILY=CREDO-CONTROLLER-TASKDEFINITION # ECS taskdefinition name for credo controller
 PROTOCOL=http
 
+#Platform admin setup 
+PLATFORM_ADMIN_KEYCLOAK_ID=adminClient #Create a new keycloak client for platform admin (admin console) with adminClient name and add its client id
+PLATFORM_ADMIN_KEYCLOAK_SECRET=xxxxxxxxxxxx #Add the secret of keycloak client created for the above platform admin (admin console) id
+PLATFORM_ADMIN_OLD_CLIENT_ID=adminClient #Add incase the keycloak id of the old platform client is changed and want to update all the users in database with the new admin client
+#Note : the above is for platform client and not platform admin client 
+
 # To add more client add the following variables for each additional client.
 # Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
 # Default client will not need the following details
 
@@ -34,6 +34,7 @@ jobs:
           - x509
           - oid4vc-issuance
           - oid4vc-verification
+          - ecosystem
 
     permissions:
       contents: read
 
@@ -0,0 +1,44 @@
+# Stage 1: Build the application
+FROM node:18-alpine as build
+# Install OpenSSL
+RUN apk add --no-cache openssl
+RUN npm install -g pnpm
+# Set the working directory
+WORKDIR /app
+
+# Copy package.json and package-lock.json
+COPY package.json ./
+COPY pnpm-workspace.yaml ./
+#COPY package-lock.json ./
+
+ENV PUPPETEER_SKIP_DOWNLOAD=true
+
+# Install dependencies while ignoring scripts (including Puppeteer's installation)
+RUN pnpm i --ignore-scripts
+
+# Copy the rest of the application code
+COPY . .
+# RUN cd libs/prisma-service && npx prisma migrate deploy && npx prisma generate
+RUN cd libs/prisma-service && npx prisma generate
+
+# Build the connection service
+RUN pnpm run build ecosystem
+
+# Stage 2: Create the final image
+FROM node:18-alpine
+# Install OpenSSL
+RUN apk add --no-cache openssl
+# RUN npm install -g pnpm
+# Set the working directory
+WORKDIR /app
+
+# Copy the compiled code from the build stage
+COPY --from=build /app/dist/apps/ecosystem/ ./dist/apps/ecosystem/
+
+# Copy the libs folder from the build stage
+COPY --from=build /app/libs/ ./libs/
+#COPY --from=build /app/package.json ./  
+COPY --from=build /app/node_modules  ./node_modules
+
+# Set the command to run the microservice
+CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && npx prisma generate && cd ../.. && node dist/apps/ecosystem/main.js"]
@@ -1,38 +1,41 @@
+import { ClientsModule, Transport } from '@nestjs/microservices';
+import { CommonConstants, MICRO_SERVICE_NAME } from '@credebl/common/common.constant';
+import { ConditionalModule, ConfigModule } from '@nestjs/config';
 import { MiddlewareConsumer, Module, RequestMethod } from '@nestjs/common';
+
 import { AgentController } from './agent/agent.controller';
 import { AgentModule } from './agent-service/agent-service.module';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
 import { AuthzMiddleware } from './authz/authz.middleware';
 import { AuthzModule } from './authz/authz.module';
-import { ClientsModule, Transport } from '@nestjs/microservices';
-import { ConditionalModule, ConfigModule } from '@nestjs/config';
+import { CacheModule } from '@nestjs/cache-manager';
+import { CloudWalletModule } from './cloud-wallet/cloud-wallet.module';
+import { ConnectionModule } from './connection/connection.module';
+import { ContextModule } from '@credebl/context/contextModule';
 import { CredentialDefinitionModule } from './credential-definition/credential-definition.module';
+import { EcosystemModule } from './ecosystem/ecosystem.module';
+import { EcosystemSwaggerFilter } from './authz/guards/ecosystem-swagger.filter';
 import { FidoModule } from './fido/fido.module';
+import { GeoLocationModule } from './geo-location/geo-location.module';
+import { GlobalConfigModule } from '@credebl/config/global-config.module';
 import { IssuanceModule } from './issuance/issuance.module';
+import { LoggerModule } from '@credebl/logger/logger.module';
+import { NotificationModule } from './notification/notification.module';
+import { Oid4vcIssuanceModule } from './oid4vc-issuance/oid4vc-issuance.module';
+import { Oid4vpModule } from './oid4vc-verification/oid4vc-verification.module';
 import { OrganizationModule } from './organization/organization.module';
+import { ConfigModule as PlatformConfig } from '@credebl/config/config.module';
 import { PlatformModule } from './platform/platform.module';
-import { VerificationModule } from './verification/verification.module';
 import { RevocationController } from './revocation/revocation.controller';
 import { RevocationModule } from './revocation/revocation.module';
 import { SchemaModule } from './schema/schema.module';
 import { UserModule } from './user/user.module';
-import { ConnectionModule } from './connection/connection.module';
-import { getNatsOptions } from '@credebl/common/nats.config';
-import { CacheModule } from '@nestjs/cache-manager';
-import { WebhookModule } from './webhook/webhook.module';
 import { UtilitiesModule } from './utilities/utilities.module';
-import { NotificationModule } from './notification/notification.module';
-import { GeoLocationModule } from './geo-location/geo-location.module';
-import { CommonConstants, MICRO_SERVICE_NAME } from '@credebl/common/common.constant';
-import { CloudWalletModule } from './cloud-wallet/cloud-wallet.module';
-import { ContextModule } from '@credebl/context/contextModule';
-import { LoggerModule } from '@credebl/logger/logger.module';
-import { GlobalConfigModule } from '@credebl/config/global-config.module';
-import { ConfigModule as PlatformConfig } from '@credebl/config/config.module';
-import { Oid4vcIssuanceModule } from './oid4vc-issuance/oid4vc-issuance.module';
+import { VerificationModule } from './verification/verification.module';
+import { WebhookModule } from './webhook/webhook.module';
 import { X509Module } from './x509/x509.module';
-import { Oid4vpModule } from './oid4vc-verification/oid4vc-verification.module';
+import { getNatsOptions } from '@credebl/common/nats.config';
 import { shouldLoadOidcModules } from '@credebl/common/common.utils';
 
 @Module({
@@ -63,6 +66,7 @@ import { shouldLoadOidcModules } from '@credebl/common/common.utils';
     UtilitiesModule,
     WebhookModule,
     NotificationModule,
+    EcosystemModule,
     GlobalConfigModule,
     CacheModule.register(),
     GeoLocationModule,
@@ -74,6 +78,7 @@ import { shouldLoadOidcModules } from '@credebl/common/common.utils';
   controllers: [AppController],
   providers: [
     AppService,
+    EcosystemSwaggerFilter,
     {
       provide: MICRO_SERVICE_NAME,
       useValue: 'APIGATEWAY'
 
@@ -8,6 +8,7 @@ import { CommonConstants } from '@credebl/common/common.constant';
 import { CommonModule } from '../../../../libs/common/src/common.module';
 import { CommonService } from '../../../../libs/common/src/common.service';
 import { ConnectionService } from '../connection/connection.service';
+import { EcosystemModule } from '../ecosystem/ecosystem.module';
 import { HttpModule } from '@nestjs/axios';
 import { JwtStrategy } from './jwt.strategy';
 import { MobileJwtStrategy } from './mobile-jwt.strategy';
@@ -25,6 +26,7 @@ import { getNatsOptions } from '@credebl/common/nats.config';
 
 @Module({
   imports: [
+    EcosystemModule,
     HttpModule,
     PassportModule.register({
       defaultStrategy: 'jwt',
 
@@ -0,0 +1,20 @@
+import { CanActivate, ForbiddenException, Injectable, Scope } from '@nestjs/common';
+
+import { EcosystemRepository } from 'apps/ecosystem/repositories/ecosystem.repository';
+import { ResponseMessages } from '@credebl/common/response-messages';
+
+@Injectable({ scope: Scope.REQUEST })
+export class EcosystemFeatureGuard implements CanActivate {
+  constructor(private readonly ecosystemRepository: EcosystemRepository) {}
+
+  async canActivate(): Promise<boolean> {
+    const config = await this.ecosystemRepository.getPlatformConfig();
+    const enabled = Boolean(config?.isEcosystemEnabled);
+
+    if (!enabled) {
+      throw new ForbiddenException(ResponseMessages.ecosystem.error.featureIsDisabled);
+    }
+
+    return true;
+  }
+}
@@ -0,0 +1,117 @@
+import { BadRequestException, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+
+import { Injectable } from '@nestjs/common';
+import { OrgRoles } from 'libs/org-roles/enums';
+import { ROLES_KEY } from '../decorators/roles.decorator';
+import { Reflector } from '@nestjs/core';
+import { ResponseMessages } from '@credebl/common/response-messages';
+import { validate as isValidUUID } from 'uuid';
+
+@Injectable()
+export class EcosystemRolesGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {} // eslint-disable-next-line array-callback-return
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const requiredRoles = this.reflector.getAllAndOverride<OrgRoles[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+
+    if (!requiredRoles || 0 === requiredRoles.length) {
+      return true;
+    }
+    const requiredRolesNames = requiredRoles as string[];
+    const reqData = context.switchToHttp().getRequest();
+    const { user } = reqData;
+
+    let orgId = '';
+
+    switch (true) {
+      case 'string' === typeof reqData.params?.orgId:
+        orgId = reqData.params.orgId.trim();
+        break;
+
+      case 'string' === typeof reqData.query?.orgId:
+        orgId = reqData.query.orgId.trim();
+        break;
+
+      case 'string' === typeof reqData.body?.orgId:
+        orgId = reqData.body.orgId.trim();
+        break;
+
+      default:
+        orgId = '';
+    }
+
+    const isPlatformAdmin = user.email === process.env.PLATFORM_ADMIN_EMAIL;
+
+    if (user?.ecosystemRoles && requiredRolesNames.some((role: string) => user.ecosystemRoles.includes(role))) {
+      return true;
+    }
+
+    if (isPlatformAdmin && requiredRolesNames.includes(OrgRoles.PLATFORM_ADMIN)) {
+      // eslint-disable-next-line array-callback-return
+      const isPlatformAdminFlag = user.userOrgRoles.find((orgDetails) => {
+        if (orgDetails.orgRole.name === OrgRoles.PLATFORM_ADMIN) {
+          return true;
+        }
+      });
+
+      if (isPlatformAdminFlag) {
+        return true;
+      }
+    }
+
+    if (orgId) {
+      if (!isValidUUID(orgId)) {
+        throw new BadRequestException(ResponseMessages.organisation.error.invalidOrgId);
+      }
+
+      if (user.hasOwnProperty('resource_access') && user.resource_access[orgId]) {
+        const orgRoles: string[] = user.resource_access[orgId].roles;
+        const roleAccess = requiredRoles.some((role) => orgRoles.includes(role));
+
+        if (!roleAccess) {
+          throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, {
+            cause: new Error('error'),
+            description: ResponseMessages.errorMessages.forbidden
+          });
+        }
+        return roleAccess;
+      }
+
+      const specificOrg = user.userOrgRoles.find((orgDetails) => {
+        if (!orgDetails.orgId) {
+          return false;
+        }
+        return orgDetails.orgId.toString().trim() === orgId.toString().trim();
+      });
+
+      if (!specificOrg) {
+        throw new ForbiddenException(ResponseMessages.organisation.error.orgNotMatch, {
+          cause: new Error('error'),
+          description: ResponseMessages.errorMessages.forbidden
+        });
+      }
+
+      user.selectedOrg = specificOrg;
+      // eslint-disable-next-line array-callback-return
+      user.selectedOrg.orgRoles = user.userOrgRoles
+        .filter((orgRoleItem) => orgRoleItem.orgId && orgRoleItem.orgId.toString().trim() === orgId.toString().trim())
+        .map((orgRoleItem) => orgRoleItem.orgRole.name);
+    } else {
+      return false;
+    }
+
+    // Sending user friendly message if a user attempts to access an API that is inaccessible to their role
+    const roleAccess = requiredRoles.some((role) => user.selectedOrg?.orgRoles.includes(role));
+    if (!roleAccess) {
+      throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, {
+        cause: new Error('error'),
+        description: ResponseMessages.errorMessages.forbidden
+      });
+    }
+
+    return roleAccess;
+  }
+}
@@ -0,0 +1,34 @@
+import { EcosystemRepository } from 'apps/ecosystem/repositories/ecosystem.repository';
+import { Injectable } from '@nestjs/common';
+import { OpenAPIObject } from '@nestjs/swagger';
+
+@Injectable()
+export class EcosystemSwaggerFilter {
+  constructor(private readonly ecosystemRepository: EcosystemRepository) {}
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  async filterDocument(document: OpenAPIObject): Promise<OpenAPIObject> {
+    const config = await this.ecosystemRepository.getPlatformConfig();
+    const enabled = Boolean(config?.isEcosystemEnabled);
+
+    if (!enabled) {
+      if (!document.paths) {
+        return document;
+      }
+      Object.keys(document.paths).forEach((path) => {
+        Object.keys(document.paths[path]).forEach((method) => {
+          const operation = document.paths[path][method];
+
+          if (operation.tags?.includes('ecosystem')) {
+            delete document.paths[path][method];
+          }
+        });
+
+        if (0 === Object.keys(document.paths[path]).length) {
+          delete document.paths[path];
+        }
+      });
+    }
+
+    return document;
+  }
+}