[SELC-7948] feat: modify getInstution to retrieve roles and actions from IAM (#558)

Author: giulia-tremolada

docs/openapi/api-iam-docs.json

@@ -28,6 +28,34 @@
           }
         }
       },
+      "ProductRolePermissions" : {
+        "type" : "object",
+        "properties" : {
+          "productId" : {
+            "type" : "string"
+          },
+          "role" : {
+            "type" : "string"
+          },
+          "permissions" : {
+            "type" : "array",
+            "items" : {
+              "type" : "string"
+            }
+          }
+        }
+      },
+      "ProductRolePermissionsList" : {
+        "type" : "object",
+        "properties" : {
+          "items" : {
+            "type" : "array",
+            "items" : {
+              "$ref" : "#/components/schemas/ProductRolePermissions"
+            }
+          }
+        }
+      },
       "ProductRoles" : {
         "type" : "object",
         "properties" : {
@@ -208,6 +236,59 @@
         } ]
       }
     },
+    "/iam/users/role/permissions/{uid}" : {
+      "get" : {
+        "summary" : "Get IAM user Product Role Permissions List",
+        "description" : "Retrieves a list of product, role and permissions by user ID and product ID.",
+        "operationId" : "getIAMProductRolePermissionsList",
+        "tags" : [ "external-v2" ],
+        "parameters" : [ {
+          "name" : "uid",
+          "in" : "path",
+          "required" : true,
+          "schema" : {
+            "type" : "string"
+          }
+        }, {
+          "name" : "productId",
+          "in" : "query",
+          "schema" : {
+            "type" : "string"
+          }
+        } ],
+        "responses" : {
+          "200" : {
+            "description" : "OK",
+            "content" : {
+              "application/json" : {
+                "schema" : {
+                  "$ref" : "#/components/schemas/ProductRolePermissionsList"
+                }
+              }
+            }
+          },
+          "500" : {
+            "description" : "Internal Server Error",
+            "content" : {
+              "application/problem+json" : {
+                "schema" : {
+                  "$ref" : "#/components/schemas/Problem"
+                }
+              }
+            }
+          },
+          "401" : {
+            "description" : "Not Authorized"
+          },
+          "403" : {
+            "description" : "Not Allowed"
+          }
+        },
+        "security" : [ {
+          "SecurityScheme" : [ ]
+        } ]
+      }
+    },
     "/iam/users/{uid}" : {
       "get" : {
         "summary" : "Get IAM User",

integration-test-config/db/userClaims.json

@@ -9,6 +9,21 @@
       ]
     }]
   },
+  {
+    "_id": "9f2b6b54-6c2b-4b36-8d83-4cd1d6fcf3e8",
+    "email": "EEFF4l3KRN2cJKm8PDpdMjrVeWG00GeYY6JCbxHlcAPSpQ==",
+    "productRoles": [{
+      "productId": "prod-interop",
+      "roles": [
+        "OPERATOR"
+      ]},
+      {
+        "productId": "ALL",
+        "roles": [
+          "SUPPORT"
+        ]
+      }]
+  },
   {
     "_id": "a0530f76-3454-418c-9d65-eb3162075495",
     "email": "EEFF4l3KRN6cJKm8PDpdMjrVx7KTMZG/p/OjXGPw8gHYAg==",

src/main/java/it/pagopa/selfcare/dashboard/service/InstitutionV2ServiceImpl.java

@@ -3,10 +3,7 @@
 import it.pagopa.selfcare.commons.base.security.SelfCareUser;
 import it.pagopa.selfcare.core.generated.openapi.v1.dto.OnboardingResponse;
 import it.pagopa.selfcare.core.generated.openapi.v1.dto.OnboardingsResponse;
-import it.pagopa.selfcare.dashboard.client.CoreInstitutionApiRestClient;
-import it.pagopa.selfcare.dashboard.client.OnboardingRestClient;
-import it.pagopa.selfcare.dashboard.client.TokenRestClient;
-import it.pagopa.selfcare.dashboard.client.UserApiRestClient;
+import it.pagopa.selfcare.dashboard.client.*;
 import it.pagopa.selfcare.dashboard.exception.ResourceNotFoundException;
 import it.pagopa.selfcare.dashboard.model.institution.Institution;
 import it.pagopa.selfcare.dashboard.model.institution.RelationshipState;
@@ -15,6 +12,8 @@
 import it.pagopa.selfcare.dashboard.model.user.OnboardedProductWithActions;
 import it.pagopa.selfcare.dashboard.model.user.UserInfo;
 import it.pagopa.selfcare.dashboard.model.user.UserInstitutionWithActionsDto;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.ProductRolePermissions;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.ProductRolePermissionsList;
 import it.pagopa.selfcare.onboarding.generated.openapi.v1.dto.OnboardingGetResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.encoder.Encode;
@@ -46,6 +45,7 @@ public class InstitutionV2ServiceImpl implements InstitutionV2Service {
     private final UserApiRestClient userApiRestClient;
     private final CoreInstitutionApiRestClient coreInstitutionApiRestClient;
     private final OnboardingRestClient onboardingRestClient;
+    private final IamExternalRestClient iamExternalRestClient;
     private final TokenRestClient tokenRestClient;
     private final UserMapper userMapper;
     private final InstitutionMapper institutionMapper;
@@ -56,6 +56,7 @@ public InstitutionV2ServiceImpl(@Value("${dashboard.institution.getUsers.filter.
                                     UserApiRestClient userApiRestClient,
                                     CoreInstitutionApiRestClient coreInstitutionApiRestClient,
                                     OnboardingRestClient onboardingRestClient,
+                                    IamExternalRestClient iamExternalRestClient,
                                     TokenRestClient tokenRestClient,
                                     UserMapper userMapper,
                                     InstitutionMapper institutionMapper,
@@ -64,6 +65,7 @@ public InstitutionV2ServiceImpl(@Value("${dashboard.institution.getUsers.filter.
         this.userApiRestClient = userApiRestClient;
         this.coreInstitutionApiRestClient = coreInstitutionApiRestClient;
         this.onboardingRestClient = onboardingRestClient;
+        this.iamExternalRestClient = iamExternalRestClient;
         this.tokenRestClient = tokenRestClient;
         this.userMapper = userMapper;
         this.institutionMapper = institutionMapper;
@@ -112,14 +114,13 @@ public Institution findInstitutionById(String institutionId) {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         SelfCareUser selfCareUser = (SelfCareUser) authentication.getPrincipal();
         String issuer = selfCareUser.getIssuer();
+        String userId = selfCareUser.getId();
 
         if (ISSUER_PAGOPA.equalsIgnoreCase(issuer)) {
-            log.debug("Issuer is PAGOPA, skipping user-institution permission checks");
-            return institution;
+            log.debug("Issuer is PAGOPA, using IAM to check permissions");
+            return getInstitutionWithActionsIam(institutionId, userId, institution);
         }
 
-        String userId = selfCareUser.getId();
-
         UserInstitutionWithActionsDto userInstitutionWithActionsDto = userMapper.toUserInstitutionWithActionsDto(userApiRestClient._getUserInstitutionWithPermission(institutionId, userId, null).getBody());
 
         if (Objects.isNull(userInstitutionWithActionsDto))
@@ -143,6 +144,35 @@ public Institution findInstitutionById(String institutionId) {
         return institution;
     }
 
+    private Institution getInstitutionWithActionsIam(String institutionId, String userId, Institution institution) {
+
+        List<ProductRolePermissions> productRolePermissions = Optional.ofNullable(
+                        iamExternalRestClient._getIAMProductRolePermissionsList(userId, null).getBody())
+                .map(ProductRolePermissionsList::getItems)
+                .filter(list -> !list.isEmpty())
+                .orElseThrow(() -> new AccessDeniedException(
+                        String.format("User %s has not permission on institution %s", userId, institutionId)));
+
+        ProductRolePermissions globalPermission = productRolePermissions.stream()
+                .filter(p -> "ALL".equals(p.getProductId()))
+                .findFirst().orElse(null);
+
+        institution.getOnboarding().stream()
+                .filter(p -> RelationshipState.ACTIVE.equals(p.getStatus()))
+                .forEach(p -> productRolePermissions.stream()
+                        .filter(iam -> iam.getProductId().equals(p.getProductId()))
+                        .findFirst()
+                        .or(() -> Optional.ofNullable(globalPermission))
+                        .ifPresent(iam -> {
+                            p.setAuthorized(true);
+                            p.setUserRole(iam.getRole());
+                            p.setUserProductActions(iam.getPermissions());
+                        }));
+
+        return institution;
+    }
+
+
     @Override
     public OnboardingsResponse getOnboardingsInfoResponse(String institutionId, List<String> products) {
         log.trace("getOnboardingsResponse start");

src/test/java/it/pagopa/selfcare/dashboard/integration_test/CucumberSuite.java

@@ -27,6 +27,7 @@
 @ConfigurationParameters({
     @ConfigurationParameter(key = PLUGIN_PROPERTY_NAME, value = "pretty"),
     @ConfigurationParameter(key = PLUGIN_PROPERTY_NAME, value = "html:target/cucumber-report/cucumber.html"),
+    @ConfigurationParameter(key = "cucumber.filter.tags", value = "not @skip")
 })
 @CucumberContextConfiguration
 @TestPropertySource(locations = "classpath:application-test.properties")