Custom password for tenant creation (#36)

* proto: add password parameter to CreateTenant

* rpc: handle custom password in tenant creation flow

proto/authenticator.ridl

@@ -161,5 +161,5 @@ service WaasAuthenticatorAdmin
     - Clock() => (serverTime: timestamp)
 
     - GetTenant(projectId: uint64) => (tenant: Tenant)
-    - CreateTenant(projectId: uint64, waasAccessToken: string, oidcProviders: []OpenIdProvider, allowedOrigins: []string) => (tenant: Tenant, upgradeCode: string)
+    - CreateTenant(projectId: uint64, waasAccessToken: string, oidcProviders: []OpenIdProvider, allowedOrigins: []string, password?: string) => (tenant: Tenant, upgradeCode: string)
     - UpdateTenant(projectId: uint64, upgradeCode: string, oidcProviders: []OpenIdProvider, allowedOrigins: []string) => (tenant: Tenant)

proto/clients/authenticator.gen.ts

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// sequence-waas-authenticator v0.1.0 72a0165f606ce0df3a64b01fece4b59c6b05fd10
+// sequence-waas-authenticator v0.1.0 a175abb1a964c85ae743ed2577a103e44fd93f7c
 // --
 // Code generated by [email protected] with typescript generator. DO NOT EDIT.
 //
@@ -12,7 +12,7 @@ export const WebRPCVersion = "v1"
 export const WebRPCSchemaVersion = "v0.1.0"
 
 // Schema hash generated from your RIDL schema
-export const WebRPCSchemaHash = "72a0165f606ce0df3a64b01fece4b59c6b05fd10"
+export const WebRPCSchemaHash = "a175abb1a964c85ae743ed2577a103e44fd93f7c"
 
 //
 // Types
@@ -198,6 +198,7 @@ export interface CreateTenantArgs {
   waasAccessToken: string
   oidcProviders: Array<OpenIdProvider>
   allowedOrigins: Array<string>
+  password?: string
 }
 
 export interface CreateTenantReturn {

rpc/admin.go

@@ -42,7 +42,12 @@ func (s *RPC) GetTenant(ctx context.Context, projectID uint64) (*proto.Tenant, e
 }
 
 func (s *RPC) CreateTenant(
-	ctx context.Context, projectID uint64, waasAccessToken string, oidcProviders []*proto.OpenIdProvider, allowedOrigins []string,
+	ctx context.Context,
+	projectID uint64,
+	waasAccessToken string,
+	oidcProviders []*proto.OpenIdProvider,
+	allowedOrigins []string,
+	password *string,
 ) (*proto.Tenant, string, error) {
 	att := attestation.FromContext(ctx)
 
@@ -94,9 +99,18 @@ func (s *RPC) CreateTenant(
 		return nil, "", fmt.Errorf("retrieving Sequence context: %w", err)
 	}
 
-	upgradeCode := make([]byte, 10)
-	if _, err := att.Read(upgradeCode); err != nil {
-		return nil, "", fmt.Errorf("reading attestation: %w", err)
+	var upgradeCode string
+	if password != nil {
+		if len(*password) < 12 {
+			return nil, "", fmt.Errorf("password must be at least 12 characters long")
+		}
+		upgradeCode = *password
+	} else {
+		b := make([]byte, 10)
+		if _, err := att.Read(b); err != nil {
+			return nil, "", fmt.Errorf("reading attestation: %w", err)
+		}
+		upgradeCode = base32.StdEncoding.EncodeToString(b)
 	}
 
 	privateKey := wallet.PrivateKeyHex()[2:] // remove 0x prefix
@@ -109,7 +123,7 @@ func (s *RPC) CreateTenant(
 			Factory:    seqContext.Factory,
 			MainModule: seqContext.MainModule,
 		},
-		UpgradeCode:     base32.StdEncoding.EncodeToString(upgradeCode),
+		UpgradeCode:     upgradeCode,
 		WaasAccessToken: waasAccessToken,
 		OIDCProviders:   oidcProviders,
 		KMSKeys:         s.Config.KMS.DefaultSessionKeys,

rpc/admin_test.go

@@ -99,7 +99,7 @@ func TestRPC_CreateTenant(t *testing.T) {
 	allowedOrigins := []string{"http://localhost"}
 
 	t.Run("TenantAlreadyExists", func(t *testing.T) {
-		tnt, code, err := c.CreateTenant(ctx, tenant.ProjectID, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins)
+		tnt, code, err := c.CreateTenant(ctx, tenant.ProjectID, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins, nil)
 		assert.Nil(t, tnt)
 		assert.Empty(t, code)
 		assert.ErrorContains(t, err, "tenant already exists")
@@ -110,27 +110,47 @@ func TestRPC_CreateTenant(t *testing.T) {
 			{Issuer: issuer, Audience: audience},
 			{Issuer: "INVALID", Audience: audience},
 		}
-		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", invalidOidcProviders, allowedOrigins)
+		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", invalidOidcProviders, allowedOrigins, nil)
 		assert.Nil(t, tnt)
 		assert.Empty(t, code)
 		assert.ErrorContains(t, err, "invalid oidcProviders")
 	})
 
 	t.Run("InvalidOrigin", func(t *testing.T) {
 		invalidOrigins := []string{"localhost"}
-		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", validOidcProviders, invalidOrigins)
+		tnt, code, err := c.CreateTenant(ctx, 3, "WAAS_ACCESS_TOKEN", validOidcProviders, invalidOrigins, nil)
 		assert.Nil(t, tnt)
 		assert.Empty(t, code)
 		assert.ErrorContains(t, err, "invalid allowedOrigins")
 	})
 
+	t.Run("InvalidPassword", func(t *testing.T) {
+		password := "Password123"
+		tnt, code, err := c.CreateTenant(ctx, 4, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins, &password)
+		assert.Nil(t, tnt)
+		assert.Empty(t, code)
+		assert.ErrorContains(t, err, "password must be at least 12 characters long")
+	})
+
 	t.Run("Success", func(t *testing.T) {
-		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins)
+		tnt, code, err := c.CreateTenant(ctx, 5, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins, nil)
 		require.NoError(t, err)
 		assert.NotEmpty(t, code)
 		assert.NotNil(t, tnt)
 
-		assert.Equal(t, uint64(2), tnt.ProjectID)
+		assert.Equal(t, uint64(5), tnt.ProjectID)
+
+		assert.Contains(t, dbClient.tenants, tnt.ProjectID)
+	})
+
+	t.Run("SuccessWithPassword", func(t *testing.T) {
+		password := "Password1234"
+		tnt, code, err := c.CreateTenant(ctx, 6, "WAAS_ACCESS_TOKEN", validOidcProviders, allowedOrigins, &password)
+		require.NoError(t, err)
+		assert.Equal(t, password, code)
+		assert.NotNil(t, tnt)
+
+		assert.Equal(t, uint64(6), tnt.ProjectID)
 
 		assert.Contains(t, dbClient.tenants, tnt.ProjectID)
 	})