[SELC-7901] feat: add call to getIAMUser to obtain roles in exchangeBackofficeAdmin API (#557)

Author: duffizipierluigi

integration-test-config/db/roles.json

@@ -21,7 +21,9 @@
     "_id": "SUPPORT",
     "permissions": [
       "read:users",
-      "write:users"
+      "write:users",
+      "Selc:ViewInstitutionData",
+      "Selc:AccessProductBackofficeAdmin"
     ]
   }
 ]

integration-test-config/db/userClaims.json

@@ -2,11 +2,10 @@
   {
     "_id": "35a78332-d038-4bfa-8e85-2cba7f6b7bf8",
     "email": "EEFF4l3KRN2cJKm8PDpdMjrVeWG00GeYY6JCbxHlcAPSpQ==",
-    "name": "user-001",
     "productRoles": [{
       "productId": "prod-interop",
       "roles": [
-        "ADMIN"
+        "SUPPORT"
       ]
     }]
   },
@@ -18,7 +17,7 @@
       {
         "productId": "product-A",
         "roles": [
-          "OPERATOR"
+          "ADMIN"
         ]
       },
       {

src/main/java/it/pagopa/selfcare/dashboard/client/IamExternalRestClient.java

@@ -3,6 +3,6 @@
 import it.pagopa.selfcare.iam.generated.openapi.v1.api.ExternalV2Api;
 import org.springframework.cloud.openfeign.FeignClient;
 
-@FeignClient(name = "${rest-client.iam.serviceCode}", url = "${rest-client.iam.base-url}")
+@FeignClient(name = "${rest-client.iam-external.serviceCode}", url = "${rest-client.iam-external.base-url}")
 public interface IamExternalRestClient extends ExternalV2Api {
 }

src/main/java/it/pagopa/selfcare/dashboard/config/IamExternalRestClientConfig.java

@@ -0,0 +1,15 @@
+package it.pagopa.selfcare.dashboard.config;
+
+import it.pagopa.selfcare.commons.connector.rest.config.RestClientBaseConfig;
+import it.pagopa.selfcare.dashboard.client.IamExternalRestClient;
+import org.springframework.cloud.openfeign.EnableFeignClients;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.PropertySource;
+
+@Configuration
+@Import(RestClientBaseConfig.class)
+@EnableFeignClients(clients = IamExternalRestClient.class)
+@PropertySource("classpath:config/iam-rest-client.properties")
+public class IamExternalRestClientConfig {
+}

src/main/java/it/pagopa/selfcare/dashboard/model/mapper/InstitutionResourceMapper.java

@@ -9,6 +9,7 @@
 import it.pagopa.selfcare.dashboard.model.UpdateInstitutionDto;
 import it.pagopa.selfcare.dashboard.model.institution.*;
 import it.pagopa.selfcare.dashboard.security.ExchangeTokenServiceV2;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.ProductRoles;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
 import org.mapstruct.Named;
@@ -18,8 +19,10 @@
 import org.springframework.util.StringUtils;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 import static it.pagopa.selfcare.dashboard.model.institution.RelationshipState.PENDING;
 import static it.pagopa.selfcare.dashboard.model.institution.RelationshipState.TOBEVALIDATED;
@@ -107,8 +110,8 @@ default String toUserRole(String userRole) {
     @Mapping(target = "subUnitType", source = "institution.subunitType")
     @Mapping(target = "subUnitCode", source = "institution.subunitCode")
     @Mapping(target = "rootParent", expression = "java(toRootParent(institution))")
-    @Mapping(target = "roles", expression = "java(toRolesBackofficeAdmin())")
-    InstitutionBackofficeAdmin toInstitutionBackofficeAdmin(Institution institution);
+    @Mapping(target = "roles", expression = "java(toRolesBackofficeAdmin(productRoles))")
+    InstitutionBackofficeAdmin toInstitutionBackofficeAdmin(Institution institution, List<ProductRoles> productRoles);
 
     @Named("toRootParent")
     default RootParent toRootParent(Institution institutionInfo) {
@@ -129,12 +132,20 @@ default List<ExchangeTokenServiceV2.Role> toRoles(List<ProductGrantedAuthority>
         return roles;
     }
 
-    default List<RoleBackofficeAdmin> toRolesBackofficeAdmin() {
-        RoleBackofficeAdmin institutionRole = new RoleBackofficeAdmin();
-        institutionRole.setPartyRole("SUPPORT");
-        institutionRole.setProductRole("support");
+    default List<RoleBackofficeAdmin> toRolesBackofficeAdmin(List<ProductRoles> productRoles) {
+        return  Optional.ofNullable(productRoles)
+                .orElse(Collections.emptyList())
+                .stream()
+                .flatMap(productRole -> productRole.getRoles().stream()
+                        .map(this::constructRoleBackofficeAdmin))
+                .collect(Collectors.toList());
+    }
 
-        return List.of(institutionRole);
+    default RoleBackofficeAdmin constructRoleBackofficeAdmin(String role) {
+        RoleBackofficeAdmin roleBackofficeAdmin = new RoleBackofficeAdmin();
+        roleBackofficeAdmin.setPartyRole(role);
+        roleBackofficeAdmin.setProductRole(role.toLowerCase());
+        return roleBackofficeAdmin;
     }
 
     default List<ExchangeTokenServiceV2.Role> constructRole(ProductGrantedAuthority productGrantedAuthority, boolean isBillingToken) {

src/main/java/it/pagopa/selfcare/dashboard/security/ExchangeTokenServiceV2.java

@@ -2,16 +2,18 @@
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.impl.DefaultClaims;
 import it.pagopa.selfcare.commons.base.logging.LogUtils;
 import it.pagopa.selfcare.commons.base.security.PartyRole;
 import it.pagopa.selfcare.commons.base.security.ProductGrantedAuthority;
 import it.pagopa.selfcare.commons.base.security.SelfCareUser;
 import it.pagopa.selfcare.commons.web.security.JwtService;
+import it.pagopa.selfcare.dashboard.client.IamExternalRestClient;
 import it.pagopa.selfcare.dashboard.client.UserInstitutionApiRestClient;
 import it.pagopa.selfcare.dashboard.model.institution.InstitutionBackofficeAdmin;
-import it.pagopa.selfcare.dashboard.model.institution.RoleBackofficeAdmin;
 import it.pagopa.selfcare.dashboard.model.institution.RootParent;
 import it.pagopa.selfcare.dashboard.model.product.mapper.ProductMapper;
 import it.pagopa.selfcare.dashboard.exception.InvalidRequestException;
@@ -28,6 +30,7 @@
 import it.pagopa.selfcare.dashboard.config.ExchangeTokenProperties;
 import it.pagopa.selfcare.dashboard.model.ExchangedToken;
 import it.pagopa.selfcare.dashboard.model.mapper.InstitutionResourceMapper;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.UserClaims;
 import it.pagopa.selfcare.product.entity.Product;
 import it.pagopa.selfcare.product.service.ProductService;
 import it.pagopa.selfcare.user.generated.openapi.v1.dto.UserInstitutionResponse;
@@ -78,18 +81,20 @@ public class ExchangeTokenServiceV2 {
     public final UserV2Service userService;
     private final ProductService productService;
     private final UserInstitutionApiRestClient userInstitutionApiRestClient;
+    private final IamExternalRestClient iamExternalRestClient;
     private final String issuer;
 
     private final InstitutionResourceMapper institutionResourceMapper;
     private final InstitutionMapper institutionMapper;
     private final ProductMapper productMapper;
+    private final ObjectMapper objectMapper;
 
     public ExchangeTokenServiceV2(JwtService jwtService,
                                   InstitutionService institutionService,
                                   UserGroupV2Service groupService,
                                   ExchangeTokenProperties properties,
-                                  UserV2Service userService, ProductService productService, UserInstitutionApiRestClient userInstitutionApiRestClient,
-                                  InstitutionResourceMapper institutionResourceMapper, InstitutionMapper institutionMapper, ProductMapper productMapper)
+                                  UserV2Service userService, ProductService productService, UserInstitutionApiRestClient userInstitutionApiRestClient, IamExternalRestClient iamExternalRestClient,
+                                  InstitutionResourceMapper institutionResourceMapper, InstitutionMapper institutionMapper, ProductMapper productMapper, ObjectMapper objectMapper)
             throws InvalidKeySpecException, NoSuchAlgorithmException {
         this.billingUrl = properties.getBillingUrl();
         this.billingAudience = properties.getBillingAudience();
@@ -103,9 +108,11 @@ public ExchangeTokenServiceV2(JwtService jwtService,
         this.userService = userService;
         this.productService = productService;
         this.userInstitutionApiRestClient = userInstitutionApiRestClient;
+        this.iamExternalRestClient = iamExternalRestClient;
         this.institutionResourceMapper = institutionResourceMapper;
         this.institutionMapper = institutionMapper;
         this.productMapper = productMapper;
+        this.objectMapper = objectMapper;
     }
 
 
@@ -151,7 +158,15 @@ public ExchangedToken exchangeBackofficeAdmin(String institutionId, String produ
 
         it.pagopa.selfcare.dashboard.model.institution.Institution institution = institutionService.getInstitutionById(institutionId);
         Assert.notNull(institution, INSTITUTION_REQUIRED_MESSAGE);
-        InstitutionBackofficeAdmin institutionExchange = institutionResourceMapper.toInstitutionBackofficeAdmin(institution);
+
+        UserClaims userClaims;
+        try {
+            userClaims = objectMapper.readValue(iamExternalRestClient._getIAMUser(selfCareUser.getId(), productId).getBody(), UserClaims.class);
+        } catch (JsonProcessingException e) {
+            throw new IllegalArgumentException(String.format("User Claims are required for product '%s' and institution '%s'", productId, institutionId));
+        }
+
+        InstitutionBackofficeAdmin institutionExchange = institutionResourceMapper.toInstitutionBackofficeAdmin(institution, userClaims.getProductRoles());
 
         TokenExchangeClaims claims = retrieveAndSetBackofficeAdminClaims(authentication.getCredentials().toString(), institutionExchange,  selfCareUser);
 

src/main/resources/config/iam-rest-client.properties

@@ -1,7 +1,14 @@
 rest-client.iam.serviceCode=iam
-rest-client.iam.base-url=${IAM_URL::http://localhost:8080}
+rest-client.iam.base-url=${IAM_URL:http://localhost:8080}
 feign.client.config.iam.connectTimeout=${IAM_REST_CLIENT_CONNECT_TIMEOUT:${REST_CLIENT_CONNECT_TIMEOUT:5000}}
 feign.client.config.iam.errorDecoder=it.pagopa.selfcare.dashboard.decoder.FeignErrorDecoder
 feign.client.config.iam.readTimeout=${IAM_REST_CLIENT_READ_TIMEOUT:${REST_CLIENT_READ_TIMEOUT:5000}}
 feign.client.config.iam.loggerLevel=${IAM_REST_CLIENT_LOGGER_LEVEL:${REST_CLIENT_LOGGER_LEVEL:FULL}}
 feign.client.config.iam.requestInterceptors[0]=it.pagopa.selfcare.commons.connector.rest.interceptor.AuthorizationHeaderInterceptor
+rest-client.iam-external.serviceCode=iam-external
+rest-client.iam-external.base-url=${IAM_URL:http://localhost:8080}
+feign.client.config.iam-external.connectTimeout=${IAM_REST_CLIENT_CONNECT_TIMEOUT:${REST_CLIENT_CONNECT_TIMEOUT:5000}}
+feign.client.config.iam-external.errorDecoder=it.pagopa.selfcare.dashboard.decoder.FeignErrorDecoder
+feign.client.config.iam-external.readTimeout=${IAM_REST_CLIENT_READ_TIMEOUT:${REST_CLIENT_READ_TIMEOUT:5000}}
+feign.client.config.iam-external.loggerLevel=${IAM_REST_CLIENT_LOGGER_LEVEL:${REST_CLIENT_LOGGER_LEVEL:FULL}}
+feign.client.config.iam-external.requestInterceptors[0]=it.pagopa.selfcare.commons.connector.rest.interceptor.AuthorizationHeaderInterceptor

src/test/java/it/pagopa/selfcare/dashboard/security/ExchangeTokenServiceV2Test.java

@@ -1,10 +1,13 @@
 package it.pagopa.selfcare.dashboard.security;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.Jwts;
 import it.pagopa.selfcare.commons.base.security.ProductGrantedAuthority;
 import it.pagopa.selfcare.commons.base.security.SelfCareGrantedAuthority;
 import it.pagopa.selfcare.commons.base.security.SelfCareUser;
 import it.pagopa.selfcare.commons.web.security.JwtService;
+import it.pagopa.selfcare.dashboard.client.IamExternalRestClient;
 import it.pagopa.selfcare.dashboard.client.UserInstitutionApiRestClient;
 import it.pagopa.selfcare.dashboard.config.ExchangeTokenProperties;
 import it.pagopa.selfcare.dashboard.model.ExchangedToken;
@@ -16,6 +19,8 @@
 import it.pagopa.selfcare.dashboard.service.InstitutionService;
 import it.pagopa.selfcare.dashboard.service.UserGroupV2Service;
 import it.pagopa.selfcare.dashboard.service.UserV2Service;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.ProductRoles;
+import it.pagopa.selfcare.iam.generated.openapi.v1.dto.UserClaims;
 import it.pagopa.selfcare.product.entity.Product;
 import it.pagopa.selfcare.product.service.ProductService;
 import it.pagopa.selfcare.user.generated.openapi.v1.dto.OnboardedProductResponse;
@@ -58,6 +63,9 @@ class ExchangeTokenServiceV2Test {
     @Mock
     private UserInstitutionApiRestClient userInstitutionApiRestClient;
 
+    @Mock
+    private IamExternalRestClient iamExternalRestClient;
+
     @Mock
     private InstitutionService institutionService;
 
@@ -88,8 +96,11 @@ class ExchangeTokenServiceV2Test {
 
     private ExchangeTokenServiceV2 exchangeTokenServiceV2;
 
+    private ObjectMapper objectMapper;
+
     @BeforeEach
     void setUp() throws Exception {
+        objectMapper = new ObjectMapper();
         when(exchangeTokenProperties.getBillingAudience()).thenReturn("aud");
         when(exchangeTokenProperties.getBillingUrl()).thenReturn("url");
         when(exchangeTokenProperties.getDuration()).thenReturn("PT20H30M");
@@ -105,7 +116,7 @@ void setUp() throws Exception {
 
         exchangeTokenServiceV2 = new ExchangeTokenServiceV2(jwtService,
                 institutionService,userGroupV2Service,exchangeTokenProperties,userV2Service,productService,
-                userInstitutionApiRestClient,institutionResourceMapper,institutionMapper, productMapper);
+                userInstitutionApiRestClient,iamExternalRestClient,institutionResourceMapper,institutionMapper, productMapper, objectMapper);
     }
 
 
@@ -186,7 +197,7 @@ void exchange_noProductGrantedAuthority_throwsIllegalArgumentException() {
     }
 
     @Test
-    void exchangeBackofficeAdmin_validInputs_returnsExchangedToken() {
+    void exchangeBackofficeAdmin_validInputs_returnsExchangedToken() throws JsonProcessingException {
         String jti = "id";
         String sub = "subject";
         String iss = "PAGOPA";
@@ -196,6 +207,15 @@ void exchangeBackofficeAdmin_validInputs_returnsExchangedToken() {
         String productId = "productId";
         String credential = "password";
         String userId = UUID.randomUUID().toString();
+        UserClaims userClaims = new UserClaims();
+        List<ProductRoles> productRoles = List.of(
+                ProductRoles.builder()
+                        .productId(productId)
+                        .roles(List.of("SUPPORT"))
+                        .build()
+        );
+        userClaims.setProductRoles(productRoles);
+        String userClaimsJson = objectMapper.writeValueAsString(userClaims);
 
         it.pagopa.selfcare.dashboard.model.institution.Institution institution = mock(it.pagopa.selfcare.dashboard.model.institution.Institution.class);
         Product product = mock(Product.class);
@@ -211,23 +231,55 @@ void exchangeBackofficeAdmin_validInputs_returnsExchangedToken() {
 
         when(institutionService.getInstitutionById(institutionId)).thenReturn(institution);
         when(productService.getProduct(productId)).thenReturn(product);
+        when(iamExternalRestClient._getIAMUser(userId, productId))
+                .thenReturn(ResponseEntity.ok(userClaimsJson));
 
         ExchangedToken result = exchangeTokenServiceV2.exchangeBackofficeAdmin(institutionId, productId, Optional.empty());
 
         assertNotNull(result);
         assertNotNull(result.getIdentityToken());
     }
 
-        @Test
-        void exchangeBackofficeAdmin_noAuth() {
-            // Arrange
-            String institutionId = "validInstitutionId";
-            String productId = "validProductId";
-            Optional<String> environment = Optional.of("validEnvironment");
-            SecurityContextHolder.getContext().setAuthentication(null);
+    @Test
+    void exchangeBackofficeAdmin_noAuth() {
+        // Arrange
+        String institutionId = "validInstitutionId";
+        String productId = "validProductId";
+        Optional<String> environment = Optional.of("validEnvironment");
+        SecurityContextHolder.getContext().setAuthentication(null);
+
+        Assertions.assertThrows(IllegalStateException.class, () -> exchangeTokenServiceV2.exchangeBackofficeAdmin(institutionId, productId, environment), "Authentication is required");
+    }
+
+    @Test
+    void exchangeBackofficeAdmin_noUserClaims_throwsIllegalArgumentException() {
+        String institutionId = "institutionId";
+        String productId = "productId";
+        String credential = "password";
+        String userId = UUID.randomUUID().toString();
 
-            Assertions.assertThrows(IllegalStateException.class, () -> exchangeTokenServiceV2.exchangeBackofficeAdmin(institutionId, productId, environment), "Authentication is required");
-        }
+        it.pagopa.selfcare.dashboard.model.institution.Institution institution = mock(it.pagopa.selfcare.dashboard.model.institution.Institution.class);
+
+        TestSecurityContextHolder.setAuthentication(new TestingAuthenticationToken(SelfCareUser.builder(userId).build(), credential));
+
+        when(institutionService.getInstitutionById(institutionId)).thenReturn(institution);
+        when(iamExternalRestClient._getIAMUser(userId, productId))
+                .thenReturn(ResponseEntity.ok("invalid json response"));
+
+        IllegalArgumentException exception = assertThrows(
+                IllegalArgumentException.class,
+                () -> exchangeTokenServiceV2.exchangeBackofficeAdmin(
+                        institutionId,
+                        productId,
+                        Optional.empty()
+                )
+        );
+
+        Assertions.assertEquals(
+                String.format("User Claims are required for product '%s' and institution '%s'", productId, institutionId),
+                exception.getMessage()
+        );
+    }
 
     @Test
     void testRetrieveBillingExchangedToken_AuthenticationMissing() {

src/test/resources/application-test.properties

@@ -13,6 +13,7 @@ rest-client.ms-core.base-url=http://localhost:8082
 rest-client.user-groups.base-url=http://localhost:8083
 rest-client.onboarding.base-url=http://localhost:8080
 rest-client.iam.base-url=http://localhost:8085
+rest-client.iam-external.base-url=http://localhost:8085
 
 rest-client.party-management.base-url=http://localhost:8082
 rest-client.party-process.base-url=http://localhost:8082