use user token for trigger service sandbox test fixture (#13077)

In SandboxFixture when mixing in the auth middleware fixture, set
up the ledger client with a user token instead of a claims token
when not running in the claims-token-specific auth tests.

Fixes #12831.

* note about inClaims

* prevent Product, Serializable warts with AuthServiceJWTPayload

CHANGELOG_BEGIN
CHANGELOG_END

ledger/ledger-api-auth/src/main/scala/com/digitalasset/ledger/api/auth/AuthServiceJWTPayload.scala

@@ -11,7 +11,7 @@ import spray.json._
 import scala.util.Try
 
 /** All the JWT payloads that can be used with the JWT auth service. */
-sealed trait AuthServiceJWTPayload
+sealed abstract class AuthServiceJWTPayload extends Product with Serializable
 
 /** A JWT token payload constructed from custom claims specific to Daml ledgers.
   *

triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/TriggerServiceTestAuth.scala

@@ -14,4 +14,5 @@ class TriggerServiceTestAuthClaims
     with AbstractTriggerServiceTestInMem
     with AbstractTriggerServiceTestAuthMiddleware {
   override protected[this] def oauth2YieldsUserTokens = false
+  override protected[this] def sandboxClientTakesUserToken = false
 }

triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/TriggerServiceTestAuthWithOracle.scala

@@ -16,4 +16,5 @@ class TriggerServiceTestAuthWithOracleClaims
     with TriggerDaoOracleFixture
     with AbstractTriggerServiceTestAuthMiddleware {
   protected[this] override def oauth2YieldsUserTokens = false
+  protected[this] override def sandboxClientTakesUserToken = false
 }

triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceFixture.scala

@@ -31,7 +31,7 @@ import com.daml.dbutils.{ConnectionPool, JdbcConfig}
 import com.daml.jwt.domain.DecodedJwt
 import com.daml.jwt.{JwtSigner, JwtVerifier, JwtVerifierBase}
 import com.daml.ledger.api.auth
-import com.daml.ledger.api.auth.{AuthServiceJWTCodec, CustomDamlJWTPayload}
+import com.daml.ledger.api.auth.{AuthServiceJWTCodec, CustomDamlJWTPayload, StandardJWTPayload}
 import com.daml.ledger.api.domain.LedgerId
 import com.daml.ledger.api.refinements.ApiTypes
 import com.daml.ledger.api.refinements.ApiTypes.ApplicationId
@@ -64,6 +64,7 @@ import eu.rekawek.toxiproxy._
 import io.grpc.Channel
 import org.scalactic.source
 import org.scalatest.{BeforeAndAfterAll, BeforeAndAfterEach, Suite, SuiteMixin}
+import scalaz.syntax.show._
 
 import scala.collection.concurrent.TrieMap
 import scala.concurrent._
@@ -134,7 +135,11 @@ trait AbstractAuthFixture extends SuiteMixin {
   self: Suite =>
 
   protected def authService: Option[auth.AuthService]
-  protected def authToken(payload: CustomDamlJWTPayload): Option[String]
+  protected[this] def authToken(
+      admin: Boolean,
+      actAs: List[ApiTypes.Party],
+      readAs: List[ApiTypes.Party],
+  ): Option[String]
   protected def authConfig: AuthConfig
 }
 
@@ -142,7 +147,11 @@ trait NoAuthFixture extends AbstractAuthFixture {
   self: Suite =>
 
   protected override def authService: Option[auth.AuthService] = None
-  protected override def authToken(payload: CustomDamlJWTPayload): Option[String] = None
+  protected[this] override final def authToken(
+      admin: Boolean,
+      actAs: List[ApiTypes.Party],
+      readAs: List[ApiTypes.Party],
+  ) = None
   protected override def authConfig: AuthConfig = NoAuth
 }
 
@@ -154,12 +163,30 @@ trait AuthMiddlewareFixture
   self: Suite =>
 
   protected def authService: Option[auth.AuthService] = Some(auth.AuthServiceJWT(authVerifier))
-  protected def authToken(payload: CustomDamlJWTPayload): Option[String] = Some {
+
+  protected[this] override final def authToken(
+      admin: Boolean,
+      actAs: List[ApiTypes.Party],
+      readAs: List[ApiTypes.Party],
+  ) = Some {
+    val payload =
+      if (sandboxClientTakesUserToken)
+        StandardJWTPayload(userId = "", participantId = None, exp = None)
+      else
+        CustomDamlJWTPayload(
+          ledgerId = None,
+          applicationId = None,
+          participantId = None,
+          exp = None,
+          admin = admin,
+          actAs = ApiTypes.Party unsubst actAs,
+          readAs = ApiTypes.Party unsubst readAs,
+        )
+
     val header = """{"alg": "HS256", "typ": "JWT"}"""
     val jwt = JwtSigner.HMAC256
       .sign(DecodedJwt(header, AuthServiceJWTCodec.compactPrint(payload)), authSecret)
-      .toOption
-      .get
+      .fold(e => fail(e.shows), identity)
     jwt.value
   }
   protected def authConfig: AuthConfig = AuthMiddleware(authMiddlewareUri, authMiddlewareUri)
@@ -180,6 +207,7 @@ trait AuthMiddlewareFixture
       .withScheme("http")
       .withAuthority(authMiddleware.localAddress.getHostString, authMiddleware.localAddress.getPort)
   protected[this] def oauth2YieldsUserTokens: Boolean = true
+  protected[this] def sandboxClientTakesUserToken: Boolean = true
 
   private val authSecret: String = "secret"
   private var resource
@@ -284,17 +312,7 @@ trait SandboxFixture extends BeforeAndAfterAll with AbstractAuthFixture with Akk
         applicationId = ApplicationId.unwrap(applicationId),
         ledgerIdRequirement = LedgerIdRequirement.none,
         commandClient = CommandClientConfiguration.default,
-        token = authToken(
-          CustomDamlJWTPayload(
-            ledgerId = None,
-            applicationId = None,
-            participantId = None,
-            exp = None,
-            admin = admin,
-            actAs = ApiTypes.Party unsubst actAs,
-            readAs = ApiTypes.Party unsubst readAs,
-          )
-        ),
+        token = authToken(admin, actAs = actAs, readAs = readAs),
       ),
     )
 

triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala

@@ -96,6 +96,11 @@ trait AbstractTriggerServiceTest
     self in testFn
 
   protected[this] implicit final class `InClaims syntax`(private val self: ItVerbString) {
+
+    /** Like `in`, but disables tests that would require the oauth test server
+      * to grant claims for the user tokens it manufactures; see
+      * https://github.com/digital-asset/daml/issues/13076
+      */
     def inClaims(testFn: => Future[Assertion])(implicit pos: source.Position) =
       AbstractTriggerServiceTest.this.inClaims(self, testFn)
   }