feature/notification-and-signature-org-validation (#186)

* feat(notification): validate user organization (check that it is admin or has the same org id than the procedure that is being modified)

* update version

* feat(retry-signature): implement orgId validation

* add xivatos

* refactor: add BackofficePdp to validate sign, notification and revocation flows

* upgrade coverage

* upgrade coverage

* upgrade coverage

* fix backofficePdpImpl package name

* refactor BackofficePdpImpl

* restore comments, remove and fix logs

* remove unused imports

* enhance Changelog entry

Author: rogermiretin2

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.2.2](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.2)
+### Changed
+- Add org ID validation for notification and async signature flows.
+
 ## [v2.2.1](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.1)
 ### Added
 - Add environment variable `sys-admin`, use it instead of constant DEFAULT_ORGANIZATION_NAME, which was used in email templates.

build.gradle

@@ -12,7 +12,7 @@ plugins {
 
 group = 'es.in2'
 
-version = '2.2.1'
+version = '2.2.2'
 
 java {
     sourceCompatibility = '17'

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/impl/CredentialStatusWorkflowImpl.java

@@ -5,6 +5,7 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import es.in2.issuer.backend.backoffice.application.workflow.CredentialStatusWorkflow;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
 import es.in2.issuer.backend.backoffice.domain.service.CredentialStatusAuthorizationService;
 import es.in2.issuer.backend.backoffice.domain.service.CredentialStatusService;
 import es.in2.issuer.backend.backoffice.domain.exception.InvalidStatusException;
@@ -30,6 +31,7 @@ public class CredentialStatusWorkflowImpl implements CredentialStatusWorkflow {
 
     private final CredentialStatusService credentialStatusService;
     private final AccessTokenService accessTokenService;
+    private final BackofficePdp backofficePdp;
     private final CredentialStatusAuthorizationService credentialStatusAuthorizationService;
     private final CredentialProcedureService credentialProcedureService;
     private final ObjectMapper objectMapper;
@@ -47,7 +49,7 @@ public Flux<String> getCredentialsByListId(String processId, int listId) {
     @Override
     public Mono<Void> revokeCredential(String processId, String bearerToken, String credentialProcedureId, int listId) {
         return accessTokenService.getCleanBearerToken(bearerToken)
-                .flatMap(token -> credentialStatusAuthorizationService.authorize(processId, token, credentialProcedureId)
+                .flatMap(token -> backofficePdp.validateRevokeCredential(processId, token, credentialProcedureId)
                         .then(credentialProcedureService.getCredentialProcedureById(credentialProcedureId))
                 )
                 .flatMap(credential -> validateStatus(credential.getCredentialStatus())

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/BackofficePdp.java

@@ -0,0 +1,12 @@
+package es.in2.issuer.backend.backoffice.application.workflow.policies;
+
+import reactor.core.publisher.Mono;
+
+public interface BackofficePdp {
+
+    Mono<Void> validateSignCredential(String processId, String token, String credentialProcedureId);
+
+    Mono<Void> validateRevokeCredential(String processId, String token, String credentialProcedureId);
+
+    Mono<Void> validateSendReminder(String processId, String token, String credentialProcedureId);
+}

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/impl/BackofficePdpImpl.java

@@ -0,0 +1,138 @@
+package es.in2.issuer.backend.backoffice.application.workflow.policies.impl;
+
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jwt.SignedJWT;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
+import es.in2.issuer.backend.shared.domain.exception.JWTParsingException;
+import es.in2.issuer.backend.shared.domain.exception.UnauthorizedRoleException;
+import es.in2.issuer.backend.shared.domain.service.JWTService;
+import es.in2.issuer.backend.shared.domain.util.factory.LEARCredentialEmployeeFactory;
+import es.in2.issuer.backend.shared.infrastructure.config.AppConfig;
+import es.in2.issuer.backend.shared.infrastructure.repository.CredentialProcedureRepository;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+import reactor.core.publisher.Mono;
+
+import java.text.ParseException;
+import java.util.UUID;
+
+import static es.in2.issuer.backend.backoffice.domain.util.Constants.LEAR;
+import static es.in2.issuer.backend.backoffice.domain.util.Constants.ROLE;
+import static es.in2.issuer.backend.backoffice.domain.util.Constants.VC;
+
+@Service
+@Slf4j
+@RequiredArgsConstructor
+public class BackofficePdpImpl implements BackofficePdp {
+
+    private final AppConfig appConfig;
+    private final JWTService jwtService;
+    private final LEARCredentialEmployeeFactory learCredentialEmployeeFactory;
+    private final CredentialProcedureRepository credentialProcedureRepository;
+
+    @Override
+    public Mono<Void> validateSignCredential(String processId, String token, String credentialProcedureId) {
+        log.info("Validating 'sign' action for processId={} and credentialProcedureId={}", processId, credentialProcedureId);
+        return validateCommon(token, credentialProcedureId);
+    }
+
+    @Override
+    public Mono<Void> validateRevokeCredential(String processId, String token, String credentialProcedureId) {
+        log.info("Validating 'revoke' action for processId={} and credentialProcedureId={}", processId, credentialProcedureId);
+        return validateCommon(token, credentialProcedureId);
+    }
+
+    @Override
+    public Mono<Void> validateSendReminder(String processId, String token, String credentialProcedureId) {
+        log.info("Validating 'send reminder' action for processId={} and credentialProcedureId={}", processId, credentialProcedureId);
+        return validateCommon(token, credentialProcedureId);
+    }
+
+    private Mono<Void> validateCommon(String token, String credentialProcedureId) {
+        return parseTokenAndValidateRole(token)
+                .flatMap(signedJWT ->
+                        extractUserOrganizationIdentifier(signedJWT)
+                                .flatMap(userOrg -> {
+
+                                    if (isSysAdmin(userOrg)) {
+                                        log.info("User belongs to admin organization. Skipping DB lookup.");
+                                        return Mono.empty();
+                                    }
+
+                                    return credentialProcedureRepository.findById(UUID.fromString(credentialProcedureId))
+                                            .flatMap(credentialProcedure ->
+                                                    matchUserAndCredentialOrganization(
+                                                            userOrg,
+                                                            credentialProcedure.getOrganizationIdentifier()
+                                                    )
+                                            );
+                                })
+                );
+    }
+
+    private Mono<SignedJWT> parseTokenAndValidateRole(String token) {
+        return parseToken(token)
+                .flatMap(signedJWT ->
+                        extractRole(signedJWT)
+                                .flatMap(this::ensureRoleIsLear)
+                                .thenReturn(signedJWT)
+                );
+    }
+
+    private Mono<SignedJWT> parseToken(String token) {
+        return Mono.fromCallable(() -> jwtService.parseJWT(token));
+    }
+
+    private Mono<String> extractRole(SignedJWT signedJWT) {
+        try {
+            String role = (String) signedJWT.getJWTClaimsSet().getClaim(ROLE);
+            log.info("Extracted role: {}", role);
+            return Mono.just(role);
+        } catch (ParseException e) {
+            return Mono.error(new JWTParsingException(e.getMessage()));
+        }
+    }
+
+    private Mono<String> extractUserOrganizationIdentifier(SignedJWT signedJWT) {
+        Payload payload = signedJWT.getPayload();
+        String vcClaim = jwtService.getClaimFromPayload(payload, VC);
+        log.debug("VC claim: {}", vcClaim);
+
+        // TODO: Adapt to all credential types if needed
+        String userOrganizationIdentifier =
+                learCredentialEmployeeFactory
+                        .mapStringToLEARCredentialEmployee(vcClaim)
+                        .credentialSubject()
+                        .mandate()
+                        .mandator()
+                        .organizationIdentifier();
+
+        log.info("User organization identifier: {}", userOrganizationIdentifier);
+        return Mono.just(userOrganizationIdentifier);
+    }
+
+    private boolean isSysAdmin(String userOrganizationIdentifier) {
+        return userOrganizationIdentifier.equals(appConfig.getAdminOrganizationId());
+    }
+
+    private Mono<Void> matchUserAndCredentialOrganization(String userOrganizationIdentifier,
+                                                          String credentialOrganizationIdentifier) {
+
+        if (userOrganizationIdentifier.equals(credentialOrganizationIdentifier)) {
+            return Mono.empty();
+        }
+
+        return Mono.error(
+                new UnauthorizedRoleException("Access denied: Unauthorized organization identifier")
+        );
+    }
+
+    private Mono<Void> ensureRoleIsLear(String role) {
+        if (!LEAR.equals(role)) {
+            return Mono.error(new UnauthorizedRoleException(
+                    "Access denied: Unauthorized role to perform this credential action"));
+        }
+        return Mono.empty();
+    }
+}

src/main/java/es/in2/issuer/backend/backoffice/domain/service/NotificationService.java

@@ -3,5 +3,5 @@
 import reactor.core.publisher.Mono;
 
 public interface NotificationService {
-    Mono<Void> sendNotification(String processId,String procedureId);
+    Mono<Void> sendNotification(String processId,String procedureId, String token);
 }

src/main/java/es/in2/issuer/backend/backoffice/domain/service/impl/NotificationServiceImpl.java

@@ -1,59 +1,72 @@
 package es.in2.issuer.backend.backoffice.domain.service.impl;
 
-
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
 import es.in2.issuer.backend.backoffice.domain.service.NotificationService;
 import es.in2.issuer.backend.shared.domain.exception.EmailCommunicationException;
-import es.in2.issuer.backend.shared.domain.service.CredentialProcedureService;
-import es.in2.issuer.backend.shared.domain.service.DeferredCredentialMetadataService;
-import es.in2.issuer.backend.shared.domain.service.EmailService;
-import es.in2.issuer.backend.shared.domain.service.TranslationService;
+import es.in2.issuer.backend.shared.domain.service.*;
 import es.in2.issuer.backend.shared.infrastructure.config.AppConfig;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.stereotype.Service;
+import org.springframework.web.server.ResponseStatusException;
 import reactor.core.publisher.Mono;
 
 import static es.in2.issuer.backend.backoffice.domain.util.Constants.*;
-import static es.in2.issuer.backend.shared.domain.model.enums.CredentialStatusEnum.*;
 
 @Slf4j
 @Service
 @RequiredArgsConstructor
 public class NotificationServiceImpl implements NotificationService {
 
     private final AppConfig appConfig;
+    private final AccessTokenService accessTokenService;
+    private final BackofficePdp backofficePdp;
     private final EmailService emailService;
     private final CredentialProcedureService credentialProcedureService;
     private final DeferredCredentialMetadataService deferredCredentialMetadataService;
-    private final TranslationService translationService;
 
     @Override
-    public Mono<Void> sendNotification(String processId, String procedureId) {
+    public Mono<Void> sendNotification(String processId, String procedureId, String bearerToken) {
         // TODO this flow doesn't udpate the credential procedure, but we should consider updating the "udpated_by" field for auditing and maybe have the last person to send a reminder to receive the failed signature email
-        return credentialProcedureService.getCredentialProcedureById(procedureId)
-                        .flatMap(credentialProcedure -> credentialProcedureService.getCredentialOfferEmailInfoByProcedureId(procedureId)
-                                .flatMap(emailCredentialOfferInfo -> {
-                                            // TODO we need to remove the withdraw status from the condition since the v1.2.0 version is deprecated but in order to support retro compatibility issues we will keep it for now.
-                                            if (credentialProcedure.getCredentialStatus().toString().equals(DRAFT.toString()) || credentialProcedure.getCredentialStatus().toString().equals(WITHDRAWN.toString())) {
-                                                return deferredCredentialMetadataService.updateTransactionCodeInDeferredCredentialMetadata(procedureId)
-                                                        .flatMap(newTransactionCode -> emailService.sendCredentialActivationEmail(
-                                                                emailCredentialOfferInfo.email(),
-                                                                CREDENTIAL_ACTIVATION_EMAIL_SUBJECT,
-                                                                appConfig.getIssuerFrontendUrl() + "/credential-offer?transaction_code=" + newTransactionCode,
-                                                                appConfig.getKnowledgebaseWalletUrl(),
-                                                                emailCredentialOfferInfo.organization()
-                                                        ))
-                                                        .onErrorMap(exception ->
-                                                                new EmailCommunicationException(MAIL_ERROR_COMMUNICATION_EXCEPTION_MESSAGE));
-                                            } else if (credentialProcedure.getCredentialStatus().toString().equals(PEND_DOWNLOAD.toString())) {
-
-                                                return emailService.sendCredentialSignedNotification(credentialProcedure.getEmail(), CREDENTIAL_READY, "email.you-can-use-wallet");
-                                            } else {
-                                                return Mono.empty();
-                                            }
-                                        }
-                                )
-                        );
-    }
+        log.info("sendNotification processId={} organizationId={} token={}", processId, bearerToken, procedureId);
+
+        return accessTokenService.getCleanBearerToken(bearerToken)
+                .flatMap(token -> backofficePdp.validateSendReminder(processId, token, procedureId)
+                        .then(credentialProcedureService.getCredentialProcedureById(procedureId))
+                )
+                .zipWhen(credentialProcedure -> credentialProcedureService.getCredentialOfferEmailInfoByProcedureId(procedureId))
+                .flatMap(tuple -> {
+                    final var credentialProcedure = tuple.getT1();
+                    final var emailInfo = tuple.getT2();
 
-}
+                    return switch (credentialProcedure.getCredentialStatus()) {
+                        // TODO we need to remove the withdraw status from the condition since the v1.2.0 version is deprecated but in order to support retro compatibility issues we will keep it for now.
+                        case DRAFT, WITHDRAWN ->
+                            deferredCredentialMetadataService
+                                    .updateTransactionCodeInDeferredCredentialMetadata(procedureId)
+                                    .flatMap(newTransactionCode ->
+                                            emailService.sendCredentialActivationEmail(
+                                                    emailInfo.email(),
+                                                    CREDENTIAL_ACTIVATION_EMAIL_SUBJECT,
+                                                    appConfig.getIssuerFrontendUrl() + "/credential-offer?transaction_code=" + newTransactionCode,
+                                                    appConfig.getKnowledgebaseWalletUrl(),
+                                                    emailInfo.organization()
+                                            )
+                                    )
+                                    .onErrorMap(ex -> new EmailCommunicationException(MAIL_ERROR_COMMUNICATION_EXCEPTION_MESSAGE));
+
+                        case PEND_DOWNLOAD ->
+                            emailService.sendCredentialSignedNotification(
+                                    credentialProcedure.getEmail(),
+                                    CREDENTIAL_READY,
+                                    "email.you-can-use-wallet"
+                            );
+
+                        default -> Mono.empty();
+                    };
+                })
+                .then();
+    }
+}

src/main/java/es/in2/issuer/backend/backoffice/infrastructure/controller/NotificationController.java

@@ -7,6 +7,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 import reactor.core.publisher.Mono;
+import org.springframework.http.HttpHeaders;
 
 import java.util.UUID;
 
@@ -20,8 +21,8 @@ public class NotificationController {
 
     @PostMapping(value = "/{procedure_id}", produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseStatus(HttpStatus.NO_CONTENT)
-    public Mono<Void> sendEmailNotification(@PathVariable("procedure_id") String procedureId) {
+    public Mono<Void> sendEmailNotification(@RequestHeader(HttpHeaders.AUTHORIZATION) String bearerToken, @PathVariable("procedure_id") String procedureId) {
         String processId = UUID.randomUUID().toString();
-        return notificationService.sendNotification(processId, procedureId);
+        return notificationService.sendNotification(processId, procedureId, bearerToken);
     }
 }

src/main/java/es/in2/issuer/backend/backoffice/infrastructure/controller/SignUnsignedCredentialController.java

@@ -1,7 +1,6 @@
 package es.in2.issuer.backend.backoffice.infrastructure.controller;
 
 import es.in2.issuer.backend.shared.application.workflow.CredentialSignerWorkflow;
-import es.in2.issuer.backend.shared.domain.service.AccessTokenService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpHeaders;
@@ -10,28 +9,28 @@
 import org.springframework.web.bind.annotation.*;
 import reactor.core.publisher.Mono;
 
+import java.util.UUID;
+
 @Slf4j
 @RestController
 @RequestMapping("/backoffice/v1/retry-sign-credential")
 @RequiredArgsConstructor
 public class SignUnsignedCredentialController {
 
     private final CredentialSignerWorkflow credentialSignerWorkflow;
-    private final AccessTokenService accessTokenService;
 
     @PostMapping(value = "/{procedure_id}", produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseStatus(HttpStatus.CREATED)
     public Mono<Void> signUnsignedCredential(
             @RequestHeader(HttpHeaders.AUTHORIZATION) String authorizationHeader,
             @PathVariable("procedure_id") String procedureId) {
 
-        return accessTokenService
-                .getCleanBearerToken(authorizationHeader)
-                .flatMap(token ->
-                        accessTokenService.getMandateeEmail(token)
-                                .flatMap(email ->
-                                        credentialSignerWorkflow.retrySignUnsignedCredential(token, procedureId, email)
-                                )
-                );
+        String processId = UUID.randomUUID().toString();
+
+        return credentialSignerWorkflow.retrySignUnsignedCredential(
+                processId,
+                authorizationHeader,
+                procedureId
+        );
     }
 }

src/main/java/es/in2/issuer/backend/shared/application/workflow/CredentialSignerWorkflow.java

@@ -5,5 +5,5 @@
 public interface CredentialSignerWorkflow {
     Mono<String> signAndUpdateCredentialByProcedureId(String authorizationHeader, String procedureId, String format);
 
-    Mono<Void> retrySignUnsignedCredential(String authorizationHeader, String procedureId, String email);
+    Mono<Void> retrySignUnsignedCredential(String processId, String authorizationHeader, String procedureId);
 }