Fix: don't allow retry signature with revoked VC (#187)

* update version and changelog

* fix(CredentialSignerWorkflowImpl): add condition to check if credential procedure that is being re-signed has status PEND_SIGNATURE

* add testing

* create new CredentialProcedureInvalidStatusException to throw it in CredentialSignerWorkflowImpl.retrySignUnsignedCredential

* create new CredentialProcedureNotFoundException to throw it in CredentialSignerWorkflowImpl.retrySignUnsignedCredential

* enhance changelog entry

* rename 'backofficePdp' > 'backofficePdpService'

Author: rogermiretin2

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.2.3](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.3)
+### Fixed
+- Prevent retrying the signature process when the credential procedure is not in PEND_SIGNATURE status.
+
 ## [v2.2.2](https://github.com/in2workspace/in2-issuer-api/releases/tag/v2.2.2)
 ### Changed
 - Add org ID validation for notification and async signature flows.

build.gradle

@@ -12,7 +12,7 @@ plugins {
 
 group = 'es.in2'
 
-version = '2.2.2'
+version = '2.2.3'
 
 java {
     sourceCompatibility = '17'

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/impl/CredentialStatusWorkflowImpl.java

@@ -5,7 +5,7 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import es.in2.issuer.backend.backoffice.application.workflow.CredentialStatusWorkflow;
-import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdpService;
 import es.in2.issuer.backend.backoffice.domain.service.CredentialStatusAuthorizationService;
 import es.in2.issuer.backend.backoffice.domain.service.CredentialStatusService;
 import es.in2.issuer.backend.backoffice.domain.exception.InvalidStatusException;
@@ -31,7 +31,7 @@ public class CredentialStatusWorkflowImpl implements CredentialStatusWorkflow {
 
     private final CredentialStatusService credentialStatusService;
     private final AccessTokenService accessTokenService;
-    private final BackofficePdp backofficePdp;
+    private final BackofficePdpService backofficePdpService;
     private final CredentialStatusAuthorizationService credentialStatusAuthorizationService;
     private final CredentialProcedureService credentialProcedureService;
     private final ObjectMapper objectMapper;
@@ -49,7 +49,7 @@ public Flux<String> getCredentialsByListId(String processId, int listId) {
     @Override
     public Mono<Void> revokeCredential(String processId, String bearerToken, String credentialProcedureId, int listId) {
         return accessTokenService.getCleanBearerToken(bearerToken)
-                .flatMap(token -> backofficePdp.validateRevokeCredential(processId, token, credentialProcedureId)
+                .flatMap(token -> backofficePdpService.validateRevokeCredential(processId, token, credentialProcedureId)
                         .then(credentialProcedureService.getCredentialProcedureById(credentialProcedureId))
                 )
                 .flatMap(credential -> validateStatus(credential.getCredentialStatus())

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/BackofficePdp.java renamed to src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/BackofficePdpService.java

@@ -2,7 +2,7 @@
 
 import reactor.core.publisher.Mono;
 
-public interface BackofficePdp {
+public interface BackofficePdpService {
 
     Mono<Void> validateSignCredential(String processId, String token, String credentialProcedureId);
 

src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/impl/BackofficePdpImpl.java renamed to src/main/java/es/in2/issuer/backend/backoffice/application/workflow/policies/impl/BackofficePdpServiceImpl.java

@@ -2,7 +2,7 @@
 
 import com.nimbusds.jose.Payload;
 import com.nimbusds.jwt.SignedJWT;
-import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdpService;
 import es.in2.issuer.backend.shared.domain.exception.JWTParsingException;
 import es.in2.issuer.backend.shared.domain.exception.UnauthorizedRoleException;
 import es.in2.issuer.backend.shared.domain.service.JWTService;
@@ -24,7 +24,7 @@
 @Service
 @Slf4j
 @RequiredArgsConstructor
-public class BackofficePdpImpl implements BackofficePdp {
+public class BackofficePdpServiceImpl implements BackofficePdpService {
 
     private final AppConfig appConfig;
     private final JWTService jwtService;

src/main/java/es/in2/issuer/backend/backoffice/domain/service/impl/NotificationServiceImpl.java

@@ -1,16 +1,13 @@
 package es.in2.issuer.backend.backoffice.domain.service.impl;
 
-import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdpService;
 import es.in2.issuer.backend.backoffice.domain.service.NotificationService;
 import es.in2.issuer.backend.shared.domain.exception.EmailCommunicationException;
 import es.in2.issuer.backend.shared.domain.service.*;
 import es.in2.issuer.backend.shared.infrastructure.config.AppConfig;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.http.HttpStatus;
-import org.springframework.security.access.AccessDeniedException;
 import org.springframework.stereotype.Service;
-import org.springframework.web.server.ResponseStatusException;
 import reactor.core.publisher.Mono;
 
 import static es.in2.issuer.backend.backoffice.domain.util.Constants.*;
@@ -22,7 +19,7 @@ public class NotificationServiceImpl implements NotificationService {
 
     private final AppConfig appConfig;
     private final AccessTokenService accessTokenService;
-    private final BackofficePdp backofficePdp;
+    private final BackofficePdpService backofficePdpService;
     private final EmailService emailService;
     private final CredentialProcedureService credentialProcedureService;
     private final DeferredCredentialMetadataService deferredCredentialMetadataService;
@@ -33,7 +30,7 @@ public Mono<Void> sendNotification(String processId, String procedureId, String
         log.info("sendNotification processId={} organizationId={} token={}", processId, bearerToken, procedureId);
 
         return accessTokenService.getCleanBearerToken(bearerToken)
-                .flatMap(token -> backofficePdp.validateSendReminder(processId, token, procedureId)
+                .flatMap(token -> backofficePdpService.validateSendReminder(processId, token, procedureId)
                         .then(credentialProcedureService.getCredentialProcedureById(procedureId))
                 )
                 .zipWhen(credentialProcedure -> credentialProcedureService.getCredentialOfferEmailInfoByProcedureId(procedureId))

src/main/java/es/in2/issuer/backend/shared/application/workflow/impl/CredentialSignerWorkflowImpl.java

@@ -1,17 +1,18 @@
 package es.in2.issuer.backend.shared.application.workflow.impl;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
+
 import com.upokecenter.cbor.CBORObject;
-import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdp;
+import es.in2.issuer.backend.backoffice.application.workflow.policies.BackofficePdpService;
 import es.in2.issuer.backend.shared.application.workflow.CredentialSignerWorkflow;
 import es.in2.issuer.backend.shared.application.workflow.DeferredCredentialWorkflow;
 import es.in2.issuer.backend.shared.domain.exception.Base45Exception;
+import es.in2.issuer.backend.shared.domain.exception.CredentialProcedureInvalidStatusException;
+import es.in2.issuer.backend.shared.domain.exception.CredentialProcedureNotFoundException;
 import es.in2.issuer.backend.shared.domain.model.dto.*;
 import es.in2.issuer.backend.shared.domain.model.dto.credential.LabelCredential;
 import es.in2.issuer.backend.shared.domain.model.dto.credential.lear.employee.LEARCredentialEmployee;
 import es.in2.issuer.backend.shared.domain.model.dto.credential.lear.machine.LEARCredentialMachine;
+import es.in2.issuer.backend.shared.domain.model.enums.CredentialStatusEnum;
 import es.in2.issuer.backend.shared.domain.model.enums.SignatureType;
 import es.in2.issuer.backend.shared.domain.service.*;
 import es.in2.issuer.backend.shared.domain.util.factory.IssuerFactory;
@@ -28,11 +29,8 @@
 import org.springframework.stereotype.Service;
 import reactor.core.publisher.Mono;
 import reactor.core.scheduler.Schedulers;
-import reactor.util.function.Tuples;
 
 import java.io.ByteArrayOutputStream;
-import java.sql.Timestamp;
-import java.time.Instant;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
@@ -48,7 +46,7 @@
 public class CredentialSignerWorkflowImpl implements CredentialSignerWorkflow {
 
     private final AccessTokenService accessTokenService;
-    private final BackofficePdp backofficePdp;
+    private final BackofficePdpService backofficePdpService;
     private final AppConfig appConfig;
     private final DeferredCredentialWorkflow deferredCredentialWorkflow;
     private final RemoteSignatureService remoteSignatureService;
@@ -204,20 +202,28 @@ public Mono<Void> retrySignUnsignedCredential(String processId, String authoriza
 
         return accessTokenService.getCleanBearerToken(authorizationHeader)
                 .flatMap(token ->
-                        backofficePdp.validateSignCredential(processId, token, procedureId)
+                        backofficePdpService.validateSignCredential(processId, token, procedureId)
                                 .then(Mono.just(token))
                                 .zipWhen(t -> accessTokenService.getMandateeEmail(authorizationHeader))
-                                .zipWhen(
-                                        tuple2 -> accessTokenService.getOrganizationId(authorizationHeader),
-                                        (tuple2, orgId) -> Tuples.of(tuple2.getT1(), tuple2.getT2(), orgId)
-                                )
                 )
-                .flatMap(tuple3 -> {
-                    String token = tuple3.getT1();
-                    String email = tuple3.getT2();
+                .flatMap(tupleTokenEmail -> {
+                    String token = tupleTokenEmail.getT1();
+                    String email = tupleTokenEmail.getT2();
 
                     return credentialProcedureRepository.findByProcedureId(UUID.fromString(procedureId))
-                            .switchIfEmpty(Mono.error(new RuntimeException("Procedure not found")))
+                            .switchIfEmpty(Mono.error(new CredentialProcedureNotFoundException(
+                                    "Credential procedure with ID " + procedureId + " was not found"
+                            )))
+                            .doOnNext(credentialProcedure ->
+                                    log.info("ProcessID: {} - Current credential status: {}",
+                                            processId, credentialProcedure.getCredentialStatus())
+                            )
+                            .filter(credentialProcedure ->
+                                    credentialProcedure.getCredentialStatus() == CredentialStatusEnum.PEND_SIGNATURE
+                            )
+                            .switchIfEmpty(Mono.error(new CredentialProcedureInvalidStatusException(
+                                    "Credential procedure with ID " + procedureId + " is not in PEND_SIGNATURE status"
+                            )))
                             .flatMap(credentialProcedure -> {
                                 Mono<Void> updateDecodedCredentialMono =
                                         switch (credentialProcedure.getCredentialType()) {

src/main/java/es/in2/issuer/backend/shared/domain/exception/CredentialProcedureInvalidStatusException.java

@@ -0,0 +1,7 @@
+package es.in2.issuer.backend.shared.domain.exception;
+
+public class CredentialProcedureInvalidStatusException extends RuntimeException {
+    public CredentialProcedureInvalidStatusException(String message) {
+        super(message);
+    }
+}

src/main/java/es/in2/issuer/backend/shared/domain/exception/CredentialProcedureNotFoundException.java

@@ -0,0 +1,7 @@
+package es.in2.issuer.backend.shared.domain.exception;
+
+public class CredentialProcedureNotFoundException extends RuntimeException {
+    public CredentialProcedureNotFoundException(String message) {
+        super(message);
+    }
+}

src/main/java/es/in2/issuer/backend/shared/domain/util/GlobalErrorTypes.java

@@ -26,7 +26,9 @@ public enum GlobalErrorTypes {
     JWT_VERIFICATION("jwt_verification_error"),
     UNAUTHORIZED_ROLE("unauthorized_role"),
     EMAIL_COMMUNICATION("email_communication_error"),
-    CREDENTIAL_SERIALIZATION("credential_serialization");
+    CREDENTIAL_SERIALIZATION("credential_serialization"),
+    CREDENTIAL_PROCEDURE_INVALID_STATUS("credential_procedure_invalid_status"),
+    CREDENTIAL_PROCEDURE_NOT_FOUND("credential_procedure_not_found");
 
     private final String code;