refactor(cmd-api-server): pull OAuth2 endpoint scopes from openapi.json

Primary Changes
----------------
1. added OAuth2 security endpoints scopes to openapi.json
2. added a test to make sure if the scopes are indeed getting
   pulled from the spec file

Fixes #2693

Signed-off-by: aldousalvarez <[email protected]>

1. Please also refactor the third endpoint (prometheus metrics) accordingly
2. Also please extend the test case with each tokens having specific scopes
and then assert that the tokesn with the correct scopes work and the ones
that don't have the correct scopes do not even when they are otherwise
valid tokens.

Signed-off-by: Peter Somogyvari <[email protected]>

.github/workflows/ci.yaml

@@ -493,7 +493,7 @@ jobs:
             --tag cmd-api-server \
             --tag "ghcr.io/hyperledger/cactus-cmd-api-server:$(date +"%Y-%m-%dT%H-%M-%S" --utc)-dev-$(git rev-parse --short HEAD)"
 
-      - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
+      - if:  ${{ env.RUN_TRIVY_SCAN == 'true' && (env.DAY_OF_WEEK == '4' || env.DAY_OF_WEEK == '7') }}
         name: Run Trivy vulnerability scan for cmd-api-server
         uses: aquasecurity/[email protected]
         with:

packages/cactus-cmd-api-server/package.json

@@ -89,6 +89,7 @@
     "fastify": "4.28.1",
     "fs-extra": "11.2.0",
     "google-protobuf": "3.21.4",
+    "http-status-codes": "2.1.3",
     "jose": "4.15.5",
     "json-stable-stringify": "1.0.2",
     "lmify": "0.3.0",
@@ -134,7 +135,6 @@
     "google-protobuf": "3.21.4",
     "grpc-tools": "1.12.4",
     "grpc_tools_node_protoc_ts": "5.3.3",
-    "http-status-codes": "2.1.4",
     "protobufjs": "7.4.0",
     "tsx": "4.16.2"
   },

packages/cactus-cmd-api-server/src/main/go/generated/openapi/go-client/.openapi-generator/FILES

@@ -6,6 +6,7 @@ client.go
 configuration.go
 go.mod
 go.sum
+model_cmd_api_server_endpoint_error_response.go
 model_health_check_response.go
 model_memory_usage.go
 model_watch_healthcheck_v1.go

packages/cactus-cmd-api-server/src/main/go/generated/openapi/go-client/README.md

@@ -84,14 +84,26 @@ Class | Method | HTTP request | Description
 
 ## Documentation For Models
 
+ - [CmdApiServerEndpointErrorResponse](docs/CmdApiServerEndpointErrorResponse.md)
  - [HealthCheckResponse](docs/HealthCheckResponse.md)
  - [MemoryUsage](docs/MemoryUsage.md)
  - [WatchHealthcheckV1](docs/WatchHealthcheckV1.md)
 
 
 ## Documentation For Authorization
 
-Endpoints do not require authorization.
+
+Authentication schemes defined for the API:
+### bearerTokenAuth
+
+- **Type**: HTTP Bearer token authentication
+
+Example
+
+```golang
+auth := context.WithValue(context.Background(), sw.ContextAccessToken, "BEARER_TOKEN_STRING")
+r, err := client.Service.Operation(auth, args)
+```
 
 
 ## Documentation for Utility Methods

packages/cactus-cmd-api-server/src/main/go/generated/openapi/go-client/api/openapi.yaml

@@ -8,6 +8,11 @@ info:
   version: 2.0.0
 servers:
 - url: /
+security:
+- bearerTokenAuth:
+  - read:health
+  - read:metrics
+  - read:spec
 paths:
   /api/v1/api-server/healthcheck:
     get:
@@ -21,6 +26,21 @@ paths:
               schema:
                 $ref: '#/components/schemas/HealthCheckResponse'
           description: OK
+        "401":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Unauthorized - Invalid token
+        "403":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Forbidden - Valid token but missing correct scope
+      security:
+      - bearerTokenAuth:
+        - read:health
       summary: Can be used to verify liveness of an API server instance
       x-hyperledger-cacti:
         http:
@@ -37,6 +57,21 @@ paths:
               schema:
                 $ref: '#/components/schemas/PrometheusExporterMetricsResponse'
           description: OK
+        "401":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Unauthorized - Invalid token
+        "403":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Forbidden - Valid token but missing correct scope
+      security:
+      - bearerTokenAuth:
+        - read:metrics
       summary: Get the Prometheus Metrics
       x-hyperledger-cacti:
         http:
@@ -54,6 +89,21 @@ paths:
               schema:
                 $ref: '#/components/schemas/GetOpenApiSpecV1EndpointResponse'
           description: OK
+        "401":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Unauthorized - Invalid token
+        "403":
+          content:
+            '*/*':
+              schema:
+                $ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
+          description: Forbidden - Valid token but missing correct scope
+      security:
+      - bearerTokenAuth:
+        - read:spec
       x-hyperledger-cacti:
         http:
           verbLowerCase: get
@@ -127,3 +177,14 @@ components:
     GetOpenApiSpecV1EndpointResponse:
       nullable: false
       type: string
+    CmdApiServerEndpointErrorResponse:
+      properties:
+        message:
+          example: |
+            Forbidden - Valid token but missing correct scope
+          type: string
+  securitySchemes:
+    bearerTokenAuth:
+      bearerFormat: JSON Web Tokens
+      scheme: bearer
+      type: http