🔒 Update auth requirements for tenant-admin and governance roles

[ff137]

Endpoints that can only be called by tenant-admins and governance were previously authed under the hood to use the correct API keys.

Now the API keys are inferred from the auth provided in the request, and will return unauthorized if a tenant-admin or governance request does not provide the correct API key for the multitenant or governance agent, respectively.

To-do:

• there is one hacky workaround that uses tenant-admin internally to fetch a label for a verifier wallet, in case the verifier is not found on the trust registry. Ideally we don't need a "default tenant admin" auth internally, so perhaps this workaround can be refactored
• we use endorser controller internally in quite a few places, and this logic should be migrated to the endorser service, such that only the endorser service needs to know what the governance agent api key (cloudapi can then remove the env var for that key)

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
app
main.py	78	26	67%	71–74, 96, 98, 100, 104, 111, 137–142, 149–179
app/dependencies
acapy_clients.py	22	2	91%	26, 42
auth.py	56	19	66%	31, 37–38, 41, 52–55, 62–63, 68, 74–77, 81–84, 88–89, 94
role.py	34	1	97%	56
app/event_handling
sse_listener.py	40	8	80%	48–53, 72–77
websocket_manager.py	75	32	57%	32–38, 63–67, 86–89, 96–107, 114–124, 138
app/models
issuer.py	41	2	95%	34, 43
tenants.py	66	13	80%	93, 96, 105–115, 130–138
verifier.py	54	8	85%	30, 38–42, 79, 87–91
app/routes
connections.py	60	39	35%	26–40, 56–66, 80–94, 110–121, 140–147
definitions.py	206	83	60%	79–136, 169–170, 247–248, 277–278, 288, 342–343, 353, 360–365, 397–445, 469–470, 509–579, 587–606
issuer.py	135	8	94%	63, 94, 154, 187, 204, 313, 326, 358
jsonld.py	62	49	21%	29–92, 103–141
messaging.py	21	9	57%	31–36, 56–63
oob.py	50	32	36%	27–66, 77–89, 113–123
sse.py	32	15	53%	37–43, 66–72, 99–107, 136–142, 173–184
verifier.py	145	32	78%	58–60, 65, 103–105, 110, 152, 160–162, 167, 201–205, 214–216, 245–247, 253, 286–288, 293, 323–325, 359–361
webhooks.py	16	4	75%	30–34, 53–57
websocket_endpoint.py	18	18	0%	1–41
app/routes/admin
tenants.py	150	120	20%	46–156, 165–189, 197–214, 224–234, 243–255, 265–305
app/routes/wallet
credentials.py	78	54	31%	31–40, 49–59, 68–78, 87–99, 110–122, 134–143, 152–162, 171–181
dids.py	75	22	71%	24–33, 50–51, 71–72, 84–91, 99–105
app/services
acapy_ledger.py	69	18	74%	50–51, 77–79, 118–119, 132–151, 204–205
acapy_wallet.py	40	4	90%	61–62, 96–97
revocation_registry.py	120	27	78%	247–248, 311–316, 332–343, 352–367, 419–423
sse.py	71	55	23%	20–24, 36–49, 62–75, 91–108, 125–142, 160–183
webhooks.py	27	18	33%	14–24, 31–39
websocket.py	44	44	0%	1–79
app/services/issuer
acapy_issuer_v1.py	91	13	86%	31, 58–81, 162–163
acapy_issuer_v2.py	103	21	80%	46–49, 69–103, 141, 187–188, 211
app/services/onboarding
issuer.py	38	6	84%	98–100, 117–119
tenants.py	62	48	23%	26–92, 102–132
verifier.py	36	3	92%	66, 82–86
app/services/onboarding/util
register_issuer_did.py	61	7	89%	83–85, 174–176, 191
set_endorser_metadata.py	69	37	46%	26–28, 46–48, 70–72, 103–120, 132–141, 153–164, 177–189
app/services/trust_registry
actors.py	107	9	92%	94–99, 109, 208–209, 211–216, 281–284
schemas.py	49	4	92%	56–61, 91–96
app/services/trust_registry/util
actor.py	31	2	94%	26–27
issuer.py	23	4	83%	39–40, 48–49
app/services/verifier
acapy_verifier_v1.py	133	68	49%	35, 58–62, 73, 95–99, 104, 112, 136–140, 145, 158–168, 173–175, 181–195, 199–218, 222–234, 238–258
acapy_verifier_v2.py	140	74	47%	38–43, 63–67, 79–84, 106–110, 115, 128–133, 147–151, 156, 169–181, 186–190, 196–210, 214–233, 237–251, 255–275
app/tests/admin
test_onboarding.py	85	1	99%	254
app/tests/e2e
conftest.py	23	5	78%	38–46
test_credentials.py	99	11	89%	96–130
test_jsonld.py	64	16	75%	133–168
test_tenants.py	276	13	95%	153, 197–198, 226, 558, 592–593, 602–603, 615–616, 625–626
test_trust_registry_integration.py	63	1	98%	111
test_verifier.py	305	91	70%	36, 488–507, 524–557, 574–606, 623–645, 669–723, 904–983
test_wallet_dids.py	67	10	85%	92–107
app/tests/issuer
test_issuer.py	160	2	99%	295–298
app/tests/services
test_revocation_registry.py	102	6	94%	72, 118, 153, 233, 277, 296
app/tests/util
ecosystem_connections.py	135	27	80%	276–295, 312–332, 340–380
ledger.py	49	10	80%	34, 42, 54, 62–66, 76, 82
member_acapy_clients.py	36	6	83%	47–50, 65–66, 73–74
trust_registry.py	41	3	93%	26, 29–30
webhooks.py	25	2	92%	13, 57
app/tests/verifier
utils.py	143	89	38%	174–188, 195–214, 226–263, 271–274, 280–291, 297–306, 311–364, 375–427, 440–466, 479–517, 531–569, 583–604, 615–631, 644–650, 664–680, 694–720
app/util
acapy_issuer_utils.py	18	1	94%	22
acapy_verifier_utils.py	134	82	39%	40, 48–125, 156, 163–182, 186, 193–197, 205–209, 213–217, 224–254, 260–263
credentials.py	10	4	60%	8, 12–15
retry_method.py	16	16	0%	1–25
tenants.py	25	13	48%	12–19, 34–35, 42–49
endorser
endorser_processor.py	162	43	73%	31–39, 55–56, 65–69, 127–131, 135–139, 162–174, 205–209, 212–216, 227–229, 234–235, 250–251, 261–265, 295–304
main.py	8	8	0%	1–12
trustregistry
crud.py	176	152	14%	15–30, 34–46, 50–62, 66–78, 82–141, 145–161, 165–194, 200–214, 218–228, 232–252, 256–283, 287–302
db.py	29	9	69%	11–15, 19–23
list_type.py	10	4	60%	9–12, 15
main.py	41	15	63%	23–32, 54–59, 64
trustregistry/registry
registry_actors.py	82	58	29%	19–22, 27–38, 45–65, 72–82, 89–99, 106–116, 121–127
registry_schemas.py	65	40	38%	24–27, 34–51, 58–92, 97–108, 113–119
webhooks
models.py	53	26	51%	37, 48–50, 54, 58, 62, 66, 71–81, 86–96, 125, 142
webhooks/dependencies
redis_service.py	74	4	95%	19, 207, 212–213
sse_manager.py	176	33	81%	59–66, 111–121, 152–153, 166–180, 235–239, 245–248, 250–253, 278–279, 322–324, 358, 369–370
webhooks/routers
receive_events.py	32	6	81%	37–42, 57–61, 75–79
sse.py	168	137	18%	34–38, 61–96, 121–154, 173–238, 260–301, 324–376
webhooks.py	30	2	93%	35, 62
webhooks/tests
test_sse_manager.py	128	3	98%	145–146, 152
webhooks/tests/e2e
test_sse.py	81	4	95%	121, 147–150
TOTAL	8708	2011	77%

Tests	Skipped	Failures	Errors	Time
259	2 💤	16 ❌	0 🔥	8m 27s ⏱️

[sonarqubecloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
app
main.py	79	26	67%	72–75, 97, 99, 101, 105, 112, 138–143, 150–180
app/dependencies
acapy_clients.py	23	2	91%	33, 49
auth.py	56	19	66%	31, 37–38, 41, 52–55, 62–63, 68, 74–77, 81–84, 88–89, 94
role.py	34	1	97%	56
app/event_handling
sse_listener.py	40	8	80%	48–53, 72–77
websocket_manager.py	75	32	57%	32–38, 63–67, 86–89, 96–107, 114–124, 138
app/models
issuer.py	41	2	95%	34, 43
tenants.py	66	13	80%	93, 96, 105–115, 130–138
verifier.py	54	8	85%	30, 38–42, 79, 87–91
app/routes
connections.py	60	39	35%	26–40, 56–66, 80–94, 110–121, 140–147
definitions.py	206	83	60%	79–136, 169–170, 247–248, 277–278, 288, 342–343, 353, 360–365, 397–445, 469–470, 509–579, 587–606
issuer.py	135	8	94%	63, 94, 154, 187, 204, 313, 326, 358
jsonld.py	62	49	21%	29–92, 103–141
messaging.py	21	9	57%	31–36, 56–63
oob.py	50	32	36%	27–66, 77–89, 113–123
sse.py	32	15	53%	37–43, 66–72, 99–107, 136–142, 173–184
verifier.py	145	32	78%	58–60, 65, 103–105, 110, 152, 160–162, 167, 201–205, 214–216, 245–247, 253, 286–288, 293, 323–325, 359–361
webhooks.py	16	4	75%	30–34, 53–57
websocket_endpoint.py	18	6	67%	17–18, 27–28, 38–41
app/routes/admin
tenants.py	150	120	20%	46–156, 165–189, 197–214, 224–234, 243–255, 265–305
app/routes/wallet
credentials.py	78	54	31%	31–40, 49–59, 68–78, 87–99, 110–122, 134–143, 152–162, 171–181
dids.py	75	22	71%	24–33, 50–51, 71–72, 84–91, 99–105
app/services
acapy_ledger.py	69	18	74%	50–51, 77–79, 118–119, 132–151, 204–205
acapy_wallet.py	40	4	90%	61–62, 96–97
revocation_registry.py	120	27	78%	247–248, 311–316, 332–343, 352–367, 419–423
sse.py	71	55	23%	20–24, 36–49, 62–75, 91–108, 125–142, 160–183
webhooks.py	27	18	33%	14–24, 31–39
websocket.py	44	34	23%	19–22, 29–36, 45–79
app/services/issuer
acapy_issuer_v1.py	91	13	86%	31, 58–81, 162–163
acapy_issuer_v2.py	103	21	80%	46–49, 69–103, 141, 187–188, 211
app/services/onboarding
issuer.py	38	6	84%	98–100, 117–119
tenants.py	62	48	23%	26–92, 102–132
verifier.py	36	3	92%	66, 82–86
app/services/onboarding/util
register_issuer_did.py	61	7	89%	83–85, 174–176, 191
set_endorser_metadata.py	69	37	46%	26–28, 46–48, 70–72, 103–120, 132–141, 153–164, 177–189
app/services/trust_registry
actors.py	107	9	92%	94–99, 109, 208–209, 211–216, 281–284
schemas.py	49	4	92%	56–61, 91–96
app/services/trust_registry/util
actor.py	31	2	94%	26–27
issuer.py	23	4	83%	39–40, 48–49
app/services/verifier
acapy_verifier_v1.py	133	68	49%	35, 58–62, 73, 95–99, 104, 112, 136–140, 145, 158–168, 173–175, 181–195, 199–218, 222–234, 238–258
acapy_verifier_v2.py	140	74	47%	38–43, 63–67, 79–84, 106–110, 115, 128–133, 147–151, 156, 169–181, 186–190, 196–210, 214–233, 237–251, 255–275
app/tests/admin
test_onboarding.py	85	1	99%	254
app/tests/e2e
conftest.py	23	5	78%	38–46
test_credentials.py	99	11	89%	96–130
test_jsonld.py	64	16	75%	133–168
test_tenants.py	276	13	95%	153, 197–198, 226, 558, 592–593, 602–603, 615–616, 625–626
test_trust_registry_integration.py	63	1	98%	111
test_verifier.py	305	1	99%	36
test_wallet_dids.py	67	10	85%	92–107
app/tests/issuer
test_issuer.py	160	2	99%	295–298
app/tests/services
test_revocation_registry.py	102	6	94%	72, 118, 153, 233, 277, 296
app/tests/util
ecosystem_connections.py	135	27	80%	276–295, 312–332, 340–380
ledger.py	49	10	80%	34, 42, 54, 62–66, 76, 82
member_acapy_clients.py	36	6	83%	47–50, 65–66, 73–74
trust_registry.py	41	3	93%	26, 29–30
webhooks.py	25	2	92%	13, 57
app/tests/verifier
utils.py	143	89	38%	174–188, 195–214, 226–263, 271–274, 280–291, 297–306, 311–364, 375–427, 440–466, 479–517, 531–569, 583–604, 615–631, 644–650, 664–680, 694–720
app/util
acapy_issuer_utils.py	18	1	94%	22
acapy_verifier_utils.py	134	82	39%	40, 48–125, 156, 163–182, 186, 193–197, 205–209, 213–217, 224–254, 260–263
credentials.py	10	4	60%	8, 12–15
retry_method.py	16	16	0%	1–25
tenants.py	25	13	48%	12–19, 34–35, 42–49
endorser
endorser_processor.py	162	43	73%	31–39, 55–56, 65–69, 127–131, 135–139, 162–174, 205–209, 212–216, 227–229, 234–235, 250–251, 261–265, 295–304
main.py	8	8	0%	1–12
trustregistry
crud.py	176	152	14%	15–30, 34–46, 50–62, 66–78, 82–141, 145–161, 165–194, 200–214, 218–228, 232–252, 256–283, 287–302
db.py	29	9	69%	11–15, 19–23
list_type.py	10	4	60%	9–12, 15
main.py	41	15	63%	23–32, 54–59, 64
trustregistry/registry
registry_actors.py	82	58	29%	19–22, 27–38, 45–65, 72–82, 89–99, 106–116, 121–127
registry_schemas.py	65	40	38%	24–27, 34–51, 58–92, 97–108, 113–119
webhooks
models.py	53	26	51%	37, 48–50, 54, 58, 62, 66, 71–81, 86–96, 125, 142
webhooks/dependencies
redis_service.py	74	4	95%	19, 207, 212–213
sse_manager.py	176	33	81%	59–66, 111–121, 152–153, 166–180, 235–239, 245–248, 250–253, 278–279, 322–324, 358, 369–370
webhooks/routers
receive_events.py	32	6	81%	37–42, 57–61, 75–79
sse.py	168	137	18%	34–38, 61–96, 121–154, 173–238, 260–301, 324–376
webhooks.py	30	2	93%	35, 62
webhooks/tests
test_sse_manager.py	128	3	98%	145–146, 152
webhooks/tests/e2e
test_sse.py	81	4	95%	121, 147–150
TOTAL	8710	1899	78%

Tests	Skipped	Failures	Errors	Time
259	2 💤	0 ❌	0 🔥	8m 30s ⏱️