Feature/configurable powers domain (#185)

* update version

* feat: when fetching credential procedures, allow admins to fetch all issued procedures (from all organizations).

* feat: add owner_email in ProcedureBasicInfo so it can be shown in UI

* feat: add organization in ProcedureBasicInfo so it can be shown in UI

* feat: remove owner email from ProcedureBasicInfo

* fix: replace organizationIdentifier for organization in ProcedureBasicInfo

* fix(CredentialProcedureServiceImpl): fix fetching of the decoded credential in toProcedureBasicInfo()

* feat: include organizationIdentifier instead of organization in ProcedureBasicInfo.

* feat(CredentialProcedureService): when getting one procedure by ID and org ID, if user is admin, get it only by ID

* feat(CredentialProcedureService): include ownerEmail in credential details

* test(CredentialProcedureServiceImplTest): tests for getCredentialProcedureById

* feat(issuance): add onBehalf field to CredentialProcedure and CredentialProcedureCreationRequest; when issuing LEAR Credential Employee, add this field (so emails that are sent to the actual credential issuer)

* Revert "feat(issuance): add onBehalf field to CredentialProcedure and CredentialProcedureCreationRequest; when issuing LEAR Credential Employee, add this field (so emails that are sent to the actual credential issuer)"

This reverts commit 58d37fb.

* feat(buildCredentialProcedureCreationRequest): when creating CredentialProcedure for Employee and Machine VCs, use always the mandator organization ID for the organizationIdentifier field.

* refactor: change "owner email" for "subject email"

* test commit: hardcode organization name for email info

* feat: add auditing

* fix(SecurityConfig): replace lambda Converter with explicit class to fix generic type inference error at startup

* fix(CredentialProcedureServiceImpl): restore update in basic info and set it as Instant to make it compatible with new CredentialProcedure

* core/fix: add jackson-datatype-jsr310 to support Instant

* add test logs

* fix(R2dbcAuditingConfig): use reactive security context holder

* in ProcedureBasicInfo), change output organizationIdentifier for organization_identifier

* style: remove and change comments, adjust tabs

* tests

* tests

* restore comment in V7 migration file to avoid flyway error

* upgrade coverage

* sonar issues

* avoid duplication creating a JwtPrincipalService

* avoid duplication creating a JwtPrincipalService

* change "subject_email" for "email" in CredentialProcedure-related models; update flyway scripts

* enhance comments

* fix(issuance): change remaining credential subject email references

* fix(issuance): send email pending credential to admin email (from token mandatee) when acting on behalf

* fix: create securityUtils to get the current access token from authentication context; use it to get org id and mandatee email when sending email on behalf

* Revert "fix: create securityUtils to get the current access token from authentication context; use it to get org id and mandatee email when sending email on behalf"

This reverts commit c0a5ce1.

* wip fix(RemoteSignatureServiceImpl): get admin email from updated_at

* fix(signature flow): make handlePostRecoverError admit email as optional parameter. This is needed because when retrying signature from retrySignUnsignedCredential, the update_at field of the procedure (from which the email was obtained normally) hasn't been updated yet with the current user's email.

* fix(handleOperationMode): get email from procedure.email

* fix: make createDetailedIsssuer and related methods admit email as parameter. This is needed because updatedAt in procedure is updated as system during the previous process

* fix(generateVerifiableCredentialResponse): get email from udpatedBy, not from email

* chivatos

* fix test

* test in JwtPrincipalServiceImpl: set hardcoded email

* feat(security): for public endpoints, add logic to set the email of the id token as principal

* chivatos

* fix(JwtPrincipalService): adapt extractMandateeEmail to ID token structure

* fix(JwtPrincipalService): if couldn't find email, return principal as "anonymous" instead of null to avoid error

* refactor: remove JwtPrincipalService, move its methods to JWTService

* remove credentialProcedureService.getSignerEmailFromDecodedCredentialByProcedureId method

* remove unused comments and parameters

* chivatos

* temporary fix(VerifiableCredentialPolicyAuthorizationServiceImpl.isSignerIssuancePolicyValid): admit LEAR Credential Machine mandator check.

* remove isLikelyEmail

* remove logs

* remove CredentialSignerController

* add logs

* upgrade coverage

* update changelog

* sonar issues

* update changelog

* remove unused parameter 'credentialType' in create...Issuer related methods

* in activate-credential-email-es.html, replace: "Estimado/a [usuario]," > "Hola,"

* add test logs

* fix(SignUnsignedCredentialController): get and use bearer token instead of authorization header

* feat: make admin organization identifier configurable

* fix tests

* upgrade coverage

* sonar issues

* test: manually updated updated_by after sending reminder

* Revert "test: manually updated updated_by after sending reminder"

This reverts commit 082893f.

* sonar issues

* Revert "sonar issues"

This reverts commit 5d34f25.

* dockerfile: replace openjdk for bellsoft/liberica-openjdk-alpine-musl:17

* Reapply "sonar issues"

This reverts commit cec49f3.

* Sonar issues

* Sonar issues

* update chagnelog

* sonar issue in SecurityConfig.convert

* remove and enhance logs and comments

* sonar issue: nonNull in SecurityConfig

* sonar issue: nonNull in SecurityConfig

* update Changelog

* fix(SecurityConfig): avoid error in initialization for lambda causing type uncertainty

* core(Dockerfile): use eclipse-temurin:17-jdk-alpine

* fix(security): suppress S2638 in JwtToAuthConverter

The convert package includes @NonNullApi, but our method overrides
Converter interface which declares convert() as @nullable. This creates
a nullability conflict detected by Sonar. Suppression is safe as the
method always returns Mono.just(), never null.

* update changelog

* refactor: implmenet single responsibility principle in CustomAuthenticationManager and DualTokenAuthentication

* feat: add "sys-tenant" env variable and use it instead of constant DEFAULT_ORGANIZATION_NAME (remove this)

* update version and changelog

* update version and changelog

* fix tests

* add logs

* upgrade coverage

* small arrangements before revision (remove logs and comments)

Author: rogermiretin2

CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.2.1](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.1)
+### Added
+- Add environment variable `sys-admin`, use it instead of constant DEFAULT_ORGANIZATION_NAME, which was used in email templates.
 
 ## [v2.2.0](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.0)
 ### Added

build.gradle

@@ -12,7 +12,7 @@ plugins {
 
 group = 'es.in2'
 
-version = '2.2.0'
+version = '2.2.1'
 
 java {
     sourceCompatibility = '17'

src/main/java/es/in2/issuer/backend/shared/application/workflow/impl/CredentialIssuanceWorkflowImpl.java

@@ -132,7 +132,7 @@ private CredentialOfferEmailNotificationInfo extractCredentialOfferEmailInfo(Pre
                         throw new MissingEmailOwnerException("Email owner email is required for gx:LabelCredential schema");
                     }
                     String email = preSubmittedCredentialDataRequest.email();
-                yield new CredentialOfferEmailNotificationInfo(email, DEFAULT_ORGANIZATION_NAME);
+                yield new CredentialOfferEmailNotificationInfo(email, appConfig.getSysTenant());
             }
             default -> throw new FormatUnsupportedException(
                     "Unknown schema: " + schema

src/main/java/es/in2/issuer/backend/shared/domain/service/impl/CredentialProcedureServiceImpl.java

@@ -379,7 +379,7 @@ public Mono<CredentialOfferEmailNotificationInfo> getCredentialOfferEmailInfoByP
                             case LABEL_CREDENTIAL_TYPE -> Mono.just(
                                     new CredentialOfferEmailNotificationInfo(
                                             credentialProcedure.getEmail(),
-                                            DEFAULT_ORGANIZATION_NAME
+                                            appConfig.getSysTenant()
                                     )
                             );
                             default -> Mono.error(new FormatUnsupportedException(

src/main/java/es/in2/issuer/backend/shared/domain/util/Constants.java

@@ -36,5 +36,4 @@ private Constants() {
     public static final String ENGLISH = "en";
     public static final String DEFAULT_USER_NAME = "Cloud Provider";
     public static final String LEAR_CREDENTIAL_MACHINE_DESCRIPTION = "Verifiable Credential for machines";
-    public static final String DEFAULT_ORGANIZATION_NAME = "DOME";
 }

src/main/java/es/in2/issuer/backend/shared/infrastructure/config/AppConfig.java

@@ -87,4 +87,8 @@ public String getDefaultLang() {
     public String getAdminOrganizationId() {
         return configAdapter.getConfiguration(appProperties.adminOrganizationId());
     }
+
+    public String getSysTenant(){
+        return configAdapter.getConfiguration(appProperties.sysTenant());
+    }
 }

src/main/java/es/in2/issuer/backend/shared/infrastructure/config/properties/AppProperties.java

@@ -18,8 +18,8 @@ public record AppProperties(
         @NotBlank String configSource,
         @NotBlank @URL String walletUrl,
         @NotBlank String defaultLang,
-        @NotBlank String adminOrganizationId
-
+        @NotBlank String adminOrganizationId,
+        @NotBlank String sysTenant
 ) {
 
     @ConstructorBinding
@@ -32,7 +32,8 @@ public AppProperties(
             String configSource,
             String walletUrl,
             String defaultLang,
-            String adminOrganizationId
+            String adminOrganizationId,
+            String sysTenant
     ) {
         this.url = url;
         this.issuerFrontendUrl = issuerFrontendUrl;
@@ -43,6 +44,7 @@ public AppProperties(
         this.walletUrl = walletUrl;
         this.defaultLang = defaultLang;
         this.adminOrganizationId = adminOrganizationId;
+        this.sysTenant = sysTenant;
     }
 
     @Validated

src/main/resources/application.yml

@@ -135,6 +135,8 @@ app:
   default-lang: en
   # The identifier of the admin organization (REQUIRED)
   admin-organization-id:
+  # The system tenant name
+  sys-tenant:
 
 azure:
   endpoint: "https://myappconfig.azconfig.io"

src/test/java/es/in2/issuer/backend/shared/application/workflow/impl/CredentialIssuanceWorkflowImplTest.java

@@ -5,6 +5,8 @@
 import es.in2.issuer.backend.shared.domain.model.dto.VerifierOauth2AccessToken;
 import es.in2.issuer.backend.shared.domain.model.entities.CredentialProcedure;
 import org.mockito.ArgumentCaptor;
+
+import static es.in2.issuer.backend.shared.domain.util.Constants.LABEL_CREDENTIAL;
 import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.*;
 
@@ -913,5 +915,63 @@ void completeWithdrawLEARMachineProcessSyncSuccess() throws Exception {
         ).verifyComplete();
     }
 
+    @Test
+    void labelCredential_usesSysTenantAsOrganizationInEmail() throws Exception {
+        // given
+        String processId = "1234";
+        String token = "token";
+        String idToken = "idToken"; // required by execute() when schema is LABEL_CREDENTIAL
+        String ownerEmail = "[email protected]";
+        String issuerUiExternalDomain = "https://issuer.example.com";
+        String knowledgebaseWalletUrl = "https://knowledgebase.com";
+        String sysTenant = "my-sys-tenant";
+        String tx = "tx-label-001";
+
+        // Minimal payload for label credential (email comes from request, not payload)
+        ObjectMapper om = new ObjectMapper();
+        JsonNode payload = om.readTree("{}");
+
+        PreSubmittedCredentialDataRequest req = PreSubmittedCredentialDataRequest.builder()
+                .payload(payload)
+                .schema(LABEL_CREDENTIAL)
+                .format(JWT_VC_JSON)
+                .operationMode("S")
+                .email(ownerEmail)
+                .build();
+
+        // when
+        when(verifiableCredentialPolicyAuthorizationService.authorize(token, LABEL_CREDENTIAL, payload, idToken))
+                .thenReturn(Mono.empty());
+        when(verifiableCredentialService.generateVc(processId, req, ownerEmail))
+                .thenReturn(Mono.just(tx));
+        when(appConfig.getIssuerFrontendUrl()).thenReturn(issuerUiExternalDomain);
+        when(appConfig.getKnowledgebaseWalletUrl()).thenReturn(knowledgebaseWalletUrl);
+        when(appConfig.getSysTenant()).thenReturn(sysTenant);
+
+        when(emailService.sendCredentialActivationEmail(
+                ownerEmail,
+                "email.activation.subject",
+                issuerUiExternalDomain + "/credential-offer?transaction_code=" + tx,
+                knowledgebaseWalletUrl,
+                sysTenant
+        )).thenReturn(Mono.empty());
+
+        // then
+        StepVerifier.create(
+                verifiableCredentialIssuanceWorkflow.execute(processId, req, token, idToken)
+        ).verifyComplete();
+
+        // verify
+        verify(emailService).sendCredentialActivationEmail(
+                eq(ownerEmail),
+                eq("email.activation.subject"),
+                contains(tx),
+                eq(knowledgebaseWalletUrl),
+                eq(sysTenant)
+        );
+    }
+
+
+
 
 }

src/test/java/es/in2/issuer/backend/shared/domain/service/impl/CredentialProcedureServiceImplTest.java

@@ -5,10 +5,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import es.in2.issuer.backend.shared.domain.exception.NoCredentialFoundException;
 import es.in2.issuer.backend.shared.domain.exception.ParseCredentialJsonException;
-import es.in2.issuer.backend.shared.domain.model.dto.CredentialDetails;
-import es.in2.issuer.backend.shared.domain.model.dto.CredentialProcedureCreationRequest;
-import es.in2.issuer.backend.shared.domain.model.dto.CredentialProcedures;
-import es.in2.issuer.backend.shared.domain.model.dto.ProcedureBasicInfo;
+import es.in2.issuer.backend.shared.domain.model.dto.*;
 import es.in2.issuer.backend.shared.domain.model.entities.CredentialProcedure;
 import es.in2.issuer.backend.shared.domain.model.enums.CredentialStatusEnum;
 import es.in2.issuer.backend.shared.domain.model.enums.CredentialType;
@@ -18,6 +15,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
+import static es.in2.issuer.backend.shared.domain.util.Constants.LABEL_CREDENTIAL_TYPE;
 import static org.junit.jupiter.api.Assertions.*;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
@@ -770,4 +768,39 @@ void getAllProceduresBasicInfoByOrganizationId_shouldReturnEmptyList_whenReposit
 
         verify(credentialProcedureRepository, times(1)).findAllByOrganizationIdentifier(orgId);
     }
+
+    @Test
+    void getCredentialOfferEmailInfoByProcedureId_label_usesSysTenantForOrganization() {
+        // given
+        String procedureId = UUID.randomUUID().toString();
+        String email = "[email protected]";
+        String sysTenant = "my-sys-tenant-from-config";
+
+        CredentialProcedure cp = new CredentialProcedure();
+        cp.setProcedureId(UUID.fromString(procedureId));
+        cp.setCredentialType(LABEL_CREDENTIAL_TYPE);
+        cp.setEmail(email);
+        // For LABEL, decoded JSON is not used, so it can be null
+        cp.setCredentialDecoded(null);
+
+        when(credentialProcedureRepository.findByProcedureId(UUID.fromString(procedureId)))
+                .thenReturn(Mono.just(cp));
+        when(appConfig.getSysTenant()).thenReturn(sysTenant);
+
+        // when
+        Mono<CredentialOfferEmailNotificationInfo> mono =
+                credentialProcedureService.getCredentialOfferEmailInfoByProcedureId(procedureId);
+
+        // then
+        StepVerifier.create(mono)
+                .expectNextMatches(info ->
+                        email.equals(info.email()) &&
+                                sysTenant.equals(info.organization()))
+                .verifyComplete();
+
+        verify(credentialProcedureRepository, times(1))
+                .findByProcedureId(UUID.fromString(procedureId));
+        verify(appConfig, times(1)).getSysTenant();
+    }
+
 }