feat: PROMOTE TO UAT

helm/values.yaml

@@ -88,6 +88,8 @@ microservice-chart:
 
     DATA_CIPHER_P4PA_AUTH_HASH_KEY: p4pa-auth-hash-key
     DATA_CIPHER_P4PA_AUTH_ENCRYPT_PSW: p4pa-auth-encrypt-psw
+
+    PIATTAFORMA_UNITARIA_CLIENT_SECRET: piattaforma-unitaria-client-secret
   # nodeSelector: {}
 
   # tolerations: []

openapi/p4pa-auth.openapi.yaml

@@ -212,9 +212,39 @@ paths:
           description: Unauthorized
         '403':
           description: Forbidden
+        '409':
+          description: Conflict
         '429':
           description: Too Many Requests
   /auth/clients/{organizationIpaCode}/{clientId}:
+    delete:
+      tags:
+        - authz
+      operationId: revokeClient
+      parameters:
+        - name: organizationIpaCode
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: clientId
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '204':
+          description: OK
+        '400':
+          description: Invalid request
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '412':
+          description: ToS acceptance missing
+        '429':
+          description: Too Many Requests
     get:
       tags:
         - authz

postman/p4pa-auth-E2E.postman_collection.json

@@ -1,9 +1,10 @@
 {
 	"info": {
-		"_postman_id": "c7fcdcac-8bbb-446f-8ea3-a1c4fa4451c3",
+		"_postman_id": "c348ca3e-46f7-4ad9-a4bb-38a800bc5713",
 		"name": "p4pa-auth-E2E",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
-		"_exporter_id": "36568841"
+		"_exporter_id": "15747968",
+		"_collection_link": "https://warped-astronaut-141685.postman.co/workspace/P4PA~9a8b7dd5-97b6-4dd0-b3f5-95f25fd0b455/collection/15747968-c348ca3e-46f7-4ad9-a4bb-38a800bc5713?action=share&source=collection_link&creator=15747968"
 	},
 	"item": [
 		{
@@ -23,7 +24,7 @@
 							"    pm.expect(jsonResponse).have.property(\"expiresIn\").to.eq(14400);\r",
 							"    pm.expect(jsonResponse).have.property(\"accessToken\");\r",
 							"\r",
-							"    pm.variables.set(\"accessToken\", jsonResponse.accessToken)\r",
+							"    pm.collectionVariables.set(\"accessToken\", jsonResponse.accessToken)\r",
 							"});"
 						],
 						"type": "text/javascript",
@@ -91,7 +92,7 @@
 							"    pm.expect(jsonResponse).have.property(\"expiresIn\").to.eq(14400);\r",
 							"    pm.expect(jsonResponse).have.property(\"accessToken\");\r",
 							"\r",
-							"    pm.variables.set(\"accessToken\", jsonResponse.accessToken)\r",
+							"    pm.collectionVariables.set(\"accessToken\", jsonResponse.accessToken)\r",
 							"});"
 						],
 						"type": "text/javascript",
@@ -159,7 +160,7 @@
 							"    pm.expect(jsonResponse).have.property(\"expiresIn\").to.eq(14400);\r",
 							"    pm.expect(jsonResponse).have.property(\"accessToken\");\r",
 							"\r",
-							"    pm.variables.set(\"accessToken\", jsonResponse.accessToken)\r",
+							"    pm.collectionVariables.set(\"accessToken\", jsonResponse.accessToken)\r",
 							"});"
 						],
 						"type": "text/javascript",
@@ -234,8 +235,8 @@
 							"\r",
 							"    pm.expect(jsonResponse.organizations).have.property(\"length\").to.gte(3)\r",
 							"    \r",
-							"    pm.environment.set(\"mappedExternalUserId\",jsonResponse.mappedExternalUserId)\r",
-							"    pm.environment.set(\"organizationIpaCode\",jsonResponse.organizationAccess)\r",
+							"    pm.collectionVariables.set(\"mappedExternalUserId\",jsonResponse.mappedExternalUserId)\r",
+							"    pm.collectionVariables.set(\"organizationIpaCode\",jsonResponse.organizationAccess)\r",
 							"    var recognizedOrganizations = 0\r",
 							"    const registeredOrganizations=[\r",
 							"        \"IPA_TEST\",\r",
@@ -310,8 +311,6 @@
 							"\r",
 							"    pm.expect(jsonResponse.organizations).have.property(\"length\").to.gte(2)\r",
 							"    \r",
-							"    pm.environment.set(\"mappedExternalUserId\",jsonResponse.mappedExternalUserId)\r",
-							"    pm.environment.set(\"organizationIpaCode\",jsonResponse.organizationAccess)\r",
 							"    var recognizedOrganizations = 0\r",
 							"    const registeredOrganizations=[\r",
 							"        \"IPA_TEST\",\r",
@@ -677,22 +676,84 @@
 					"listen": "test",
 					"script": {
 						"exec": [
+							"pm.test(\"Auth - registerClient - Responses with 200\", function () {\r",
+							"    pm.response.to.have.status(200);\r",
+							"});\r",
+							"\r",
 							"pm.test(\"Auth - registerClient - Response is correct based on record existence\", function () {\r",
 							"    let jsonResponse = pm.response.json();\r",
 							"\r",
-							"    // Controlla se il clientId esiste nella risposta\r",
-							"    if (jsonResponse.hasOwnProperty(\"clientId\")) {\r",
-							"        pm.expect(pm.response.status).to.eql(200);\r",
+							"    // Verifica il contenuto della risposta quando il record non esiste\r",
+							"    pm.expect(jsonResponse).to.have.property(\"clientId\").to.eq(\"IPA_TESTtestClient\");\r",
+							"    pm.expect(jsonResponse).to.have.property(\"clientName\").to.eq(\"testClient\");\r",
+							"    pm.expect(jsonResponse).to.have.property(\"organizationIpaCode\").to.eq(\"IPA_TEST\");\r",
+							"    pm.expect(jsonResponse).to.have.property(\"clientSecret\");\r",
 							"\r",
-							"        // Verifica il contenuto della risposta quando il record non esiste\r",
-							"        pm.expect(jsonResponse).to.have.property(\"clientId\").to.eq(\"IPA_TESTtestClient\");\r",
-							"        pm.expect(jsonResponse).to.have.property(\"clientName\").to.eq(\"testClient\");\r",
-							"        pm.expect(jsonResponse).to.have.property(\"organizationIpaCode\").to.eq(\"IPA_TEST\");\r",
-							"        pm.expect(jsonResponse).to.have.property(\"clientSecret\");\r",
-							"    } else {\r",
-							"        // Se il record esiste, ritorna un errore di chiave duplicata\r",
-							"         pm.response.to.have.status(500);\r",
-							"    }\r",
+							"    pm.collectionVariables.set(\"clientId\", jsonResponse.clientId)\r",
+							"    pm.collectionVariables.set(\"clientSecret\", jsonResponse.clientSecret)\r",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{accessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "POST",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\r\n  \"clientName\" : \"testClient\"\r\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{p4paAuthBaseUrl}}/payhub/auth/clients/IPA_TEST",
+					"host": [
+						"{{p4paAuthBaseUrl}}"
+					],
+					"path": [
+						"payhub",
+						"auth",
+						"clients",
+						"IPA_TEST"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "registerClient_Conflict",
+			"event": [
+				{
+					"listen": "prerequest",
+					"script": {
+						"exec": [
+							""
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				},
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test(\"Auth - registerClient_Conflict - Responses with 409\", function () {\r",
+							"    pm.response.to.have.status(409);\r",
 							"});"
 						],
 						"type": "text/javascript",
@@ -997,6 +1058,133 @@
 				}
 			},
 			"response": []
+		},
+		{
+			"name": "postToken client-credentials",
+			"event": [
+				{
+					"listen": "prerequest",
+					"script": {
+						"exec": [
+							"    pm.environment.get(\"clientId\")\r",
+							"    pm.environment.get(\"clientSecret\")"
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				},
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test(\"Auth - postToken - Responses with 200\", function () {\r",
+							"    pm.response.to.have.status(200);\r",
+							"});\r",
+							"\r",
+							"pm.test(\"Auth - postToken - Verify response body\", function () {\r",
+							"    let jsonResponse = pm.response.json();\r",
+							"    pm.expect(jsonResponse).have.property(\"tokenType\").to.eq(\"bearer\");\r",
+							"    pm.expect(jsonResponse).have.property(\"expiresIn\").to.eq(14400);\r",
+							"    pm.expect(jsonResponse).have.property(\"accessToken\");\r",
+							"\r",
+							"    pm.variables.set(\"accessToken\", jsonResponse.accessToken)\r",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [],
+				"url": {
+					"raw": "{{p4paAuthBaseUrl}}/payhub/auth/token?client_id={{clientId}}&grant_type=client_credentials&scope=openid&client_secret={{clientSecret}}",
+					"host": [
+						"{{p4paAuthBaseUrl}}"
+					],
+					"path": [
+						"payhub",
+						"auth",
+						"token"
+					],
+					"query": [
+						{
+							"key": "client_id",
+							"value": "{{clientId}}"
+						},
+						{
+							"key": "grant_type",
+							"value": "client_credentials"
+						},
+						{
+							"key": "scope",
+							"value": "openid"
+						},
+						{
+							"key": "client_secret",
+							"value": "{{clientSecret}}"
+						}
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "revokeClient",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test(\"Auth - revokeClient - Responses with 200\", function () {\r",
+							"    pm.response.to.have.status(200);\r",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				},
+				{
+					"listen": "prerequest",
+					"script": {
+						"exec": [
+							"    pm.environment.get(\"clientId\")\r",
+							"    pm.environment.get(\"organizationIpaCode\")"
+						],
+						"type": "text/javascript",
+						"packages": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{accessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "DELETE",
+				"header": [],
+				"url": {
+					"raw": "{{p4paAuthBaseUrl}}/payhub/auth/clients/{{organizationIpaCode}}/{{clientId}}",
+					"host": [
+						"{{p4paAuthBaseUrl}}"
+					],
+					"path": [
+						"payhub",
+						"auth",
+						"clients",
+						"{{organizationIpaCode}}",
+						"{{clientId}}"
+					]
+				}
+			},
+			"response": []
 		}
 	],
 	"event": [
@@ -1025,6 +1213,22 @@
 		{
 			"key": "accessToken",
 			"value": ""
+		},
+		{
+			"key": "mappedExternalUserId",
+			"value": ""
+		},
+		{
+			"key": "organizationIpaCode",
+			"value": ""
+		},
+		{
+			"key": "clientId",
+			"value": ""
+		},
+		{
+			"key": "clientSecret",
+			"value": ""
 		}
 	]
 }

postman/p4pa-auth-NoAccessModeOrganization.postman_collection.json

@@ -234,8 +234,8 @@
 							"\r",
 							"    pm.expect(jsonResponse.organizations).have.property(\"length\").to.gte(3)\r",
 							"    \r",
-							"    pm.environment.set(\"mappedExternalUserId\",jsonResponse.mappedExternalUserId)\r",
-							"    pm.environment.set(\"organizationIpaCode\",jsonResponse.organizationAccess)\r",
+							"    pm.collectionVariables.set(\"mappedExternalUserId\",jsonResponse.mappedExternalUserId)\r",
+							"    pm.collectionVariables.set(\"organizationIpaCode\",jsonResponse.organizationAccess)\r",
 							"    var recognizedOrganizations = 0\r",
 							"    const registeredOrganizations=[\r",
 							"        \"IPA_TEST\",\r",

src/main/java/it/gov/pagopa/payhub/auth/controller/AuthzControllerImpl.java

@@ -122,4 +122,13 @@ public ResponseEntity<List<ClientNoSecretDTO>> getClients(String organizationIpa
         }
         return ResponseEntity.ok(authzService.getClients(organizationIpaCode));
     }
+
+    @Override
+    public ResponseEntity<Void> revokeClient(String organizationIpaCode, String clientId) {
+        if(!SecurityUtils.isPrincipalAdmin(organizationIpaCode)){
+            throw new UserUnauthorizedException("User not allowed to delete client with clientId " + clientId);
+        }
+        authzService.revokeClient(organizationIpaCode, clientId);
+        return ResponseEntity.ok(null);
+    }
 }

src/main/java/it/gov/pagopa/payhub/auth/dto/IamUserInfoDTO.java

@@ -20,5 +20,8 @@ public class IamUserInfoDTO {
 
   // field calculated upon registration
   private String innerUserId;
+
+  // field to check if it is a real user or a machine/system user
+  private boolean systemUser;
 }