hmcts · vasudevganesanhmcts · Nov 24, 2023 · Jul 17, 2023 · Jul 18, 2023 · Jul 19, 2023
diff --git a/build.gradle b/build.gradle
@@ -396,7 +396,7 @@ dependencies {
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign'
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-openfeign-core'
   implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.1.0'
-  implementation group: 'uk.gov.hmcts.reform', name: 'service-auth-provider-client', version: '4.0.0'
+  implementation group: 'uk.gov.hmcts.reform', name: 'service-auth-provider-client', version: '4.0.3'
 
   implementation group: 'io.github.openfeign', name: 'feign-httpclient', version: '12.4'
   implementation group: 'org.springframework.retry', name: 'spring-retry'

diff --git a/charts/civil-service/Chart.yaml b/charts/civil-service/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 description: A Helm chart for civil-service App
 name: civil-service
 home: https://github.com/hmcts/civil-service
-version: 0.0.52
+version: 0.0.53
 maintainers:
   - name: HMCTS Civil team
 

@@ -74,6 +74,7 @@ java:
     ASYNC_HANDLER_CORE_POOL_SIZE: 7
     ASYNC_HANDLER_MAX_POOL_SIZE: 42
     ASYNC_HANDLER_QUEUE_CAPACITY: 10
+    CIVIL_S2S_AUTHORISED_SERVICES: payment_app,ccd_data,civil_service,civil-citizen-ui
 
   keyVaults:
     civil:

@@ -22,8 +22,10 @@
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import uk.gov.hmcts.reform.authorisation.ServiceAuthorisationApi;
 import uk.gov.hmcts.reform.civil.Application;
 import uk.gov.hmcts.reform.civil.TestIdamConfiguration;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.UserService;
 import uk.gov.hmcts.reform.idam.client.models.UserInfo;
 
@@ -61,6 +63,9 @@ public abstract class BaseIntegrationTest {
         .roles(of("caseworker-civil-solicitor"))
         .build();
 
+    private static final String s2sToken = "s2s AuthToken";
+    @MockBean
+    private ServiceAuthorisationApi serviceAuthorisationApi;
     @MockBean
     protected UserService userService;
     @MockBean
@@ -69,6 +74,8 @@ public abstract class BaseIntegrationTest {
     protected SecurityContext securityContext;
     @MockBean
     protected JwtDecoder jwtDecoder;
+    @MockBean
+    public AuthorisationService authorisationService;
 
     @Autowired
     protected ObjectMapper objectMapper;
@@ -78,11 +85,13 @@ public abstract class BaseIntegrationTest {
 
     @BeforeEach
     public void setUpBase() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         when(userService.getAccessToken(any(), any())).thenReturn("arbitrary access token");
         when(userService.getUserInfo(anyString())).thenReturn(USER_INFO);
         when(securityContext.getAuthentication()).thenReturn(authentication);
         SecurityContextHolder.setContext(securityContext);
         setSecurityAuthorities(authentication);
+        when(serviceAuthorisationApi.getServiceName(any())).thenReturn("payment_app");
         when(jwtDecoder.decode(anyString())).thenReturn(getJwt());
     }
 

@@ -4,6 +4,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -22,6 +23,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
@@ -31,6 +33,7 @@ class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
     private static final String PAID = "Paid";
     private static final String REFERENCE = "reference";
     private static final String ACCOUNT_NUMBER = "123445555";
+    private static final String s2sToken = "s2s AuthToken";
 
     @MockBean
     CoreCaseDataApi coreCaseDataApi;
@@ -40,6 +43,7 @@ class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
 
     @BeforeEach
     void bareMinimumToMakeAPositiveRequest() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         CaseData caseData = CaseData.builder().businessProcess(BusinessProcess.builder().processInstanceId("instance").camundaEvent("camunda event").build()).build();
         CaseDetails caseDetails = CaseDetails.builder().build();
         caseDetails.setData(caseData.toMap(objectMapper));
@@ -51,6 +55,30 @@ void bareMinimumToMakeAPositiveRequest() {
         given(coreCaseDataApi.submitEventForCaseWorker(any(), any(), any(), any(), any(), any(), anyBoolean(), any())).willReturn(caseDetails);
     }
 
+    @Test
+    public void whenValidPaymentCallbackIsReceivedReturnSuccess() throws Exception {
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            .andExpect(status().isOk());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithoutServiceAuthorisationReturn400() throws Exception {
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithServiceAuthorisationButreturnsfalseReturn400() throws Exception {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(false);
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .header("ServiceAuthorization", s2sToken)
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is5xxServerError());
+    }
+
     @Test
     public void whenInvalidTypeOfRequestMade_ReturnMethodNotAllowed() throws Exception {
 
@@ -96,6 +124,8 @@ private ServiceRequestUpdateDto buildServiceDto() {
     protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.put(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }
@@ -104,6 +134,8 @@ protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVa
     protected <T> ResultActions doPost(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.post(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }

@@ -4,6 +4,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -22,6 +23,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrationTest {
@@ -31,7 +33,6 @@ class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrat
     private static final String PAID = "Paid";
     private static final String REFERENCE = "reference";
     private static final String ACCOUNT_NUMBER = "123445555";
-
     @MockBean
     CoreCaseDataApi coreCaseDataApi;
 
@@ -40,6 +41,7 @@ class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrat
 
     @BeforeEach
     void bareMinimumToMakeAPositiveRequest() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         CaseData
             caseData = CaseData.builder().businessProcess(BusinessProcess.builder().processInstanceId("instance").camundaEvent("camunda event").build()).build();
         CaseDetails caseDetails = CaseDetails.builder().build();
@@ -77,6 +79,30 @@ public void whenServiceRequestUpdateRequestButUnexpectedErrorOccurs_thenHttp5xx(
             .andExpect(status().is5xxServerError());
     }
 
+    @Test
+    public void whenValidPaymentCallbackIsReceivedReturnSuccess() throws Exception {
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            .andExpect(status().isOk());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithoutServiceAuthorisationReturn400() throws Exception {
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithServiceAuthorisationButreturnsfalseReturn400() throws Exception {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(false);
+
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            // Then: the result status must be an HTTP-4xx
+            .andExpect(status().is5xxServerError());
+
+    }
+
     private ServiceRequestUpdateDto buildServiceDto() {
         return ServiceRequestUpdateDto.builder()
             .ccdCaseNumber(CCD_CASE_NUMBER)
@@ -94,6 +120,8 @@ private ServiceRequestUpdateDto buildServiceDto() {
     protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.put(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }
@@ -102,6 +130,8 @@ protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVa
     protected <T> ResultActions doPost(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.post(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }

@@ -7,10 +7,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RestController;
 import uk.gov.hmcts.reform.civil.enums.FeeType;
 import uk.gov.hmcts.reform.civil.exceptions.InternalServerErrorException;
 import uk.gov.hmcts.reform.civil.model.ServiceRequestUpdateDto;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.PaymentRequestUpdateCallbackService;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
@@ -22,16 +24,24 @@ public class ServiceRequestUpdateCallbackController {
 
     private final PaymentRequestUpdateCallbackService requestUpdateCallbackService;
 
+    private final AuthorisationService authorisationService;
+
     @PutMapping(path = "/service-request-update", consumes = APPLICATION_JSON, produces = APPLICATION_JSON)
     @Operation(summary = "Ways to pay will call this API and send the status of payment with other details")
     @ApiResponses(value = {
         @ApiResponse(responseCode = "200", description = "Callback processed."),
         @ApiResponse(responseCode = "400", description = "Bad Request"),
         @ApiResponse(responseCode = "500", description = "Internal Server Error")
     })
-    public void serviceRequestUpdate(@RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
+    public void serviceRequestUpdate(
+        @RequestHeader("ServiceAuthorization") String s2sToken,
+        @RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
         try {
-            requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.HEARING.name());
+            if (authorisationService.isServiceAuthorized(s2sToken)) {
+                requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.HEARING.name());
+            } else {
+                throw (new RuntimeException("Invalid Client"));
+            }
         } catch (Exception ex) {
             log.error(
                 "Payment callback is unsuccessful for the CaseID: {}",

@@ -7,10 +7,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RestController;
 import uk.gov.hmcts.reform.civil.enums.FeeType;
 import uk.gov.hmcts.reform.civil.exceptions.InternalServerErrorException;
 import uk.gov.hmcts.reform.civil.model.ServiceRequestUpdateDto;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.PaymentRequestUpdateCallbackService;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
@@ -22,14 +24,21 @@ public class ServiceRequestUpdateClaimIssuedCallbackController {
 
     private final PaymentRequestUpdateCallbackService requestUpdateCallbackService;
 
+    private final AuthorisationService authorisationService;
+
     @PutMapping(path = "/service-request-update-claim-issued", consumes = APPLICATION_JSON, produces = APPLICATION_JSON)
     @Operation(summary = "Ways to pay will call this API and send the status of payment with other details")
     @ApiResponses(value = {
         @ApiResponse(responseCode = "200", description = "Callback processed."),
         @ApiResponse(responseCode = "400", description = "Bad Request")})
-    public void serviceRequestUpdate(@RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
+    public void serviceRequestUpdate(@RequestHeader("ServiceAuthorization") String s2sToken,
+                                     @RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
         try {
-            requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.CLAIMISSUED.name());
+            if (authorisationService.isServiceAuthorized(s2sToken)) {
+                requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.CLAIMISSUED.name());
+            } else {
+                throw (new RuntimeException("Invalid Client"));
+            }
         } catch (Exception ex) {
             log.error(
                 "Payment callback is unsuccessful for the CaseID: {}",

@@ -0,0 +1,65 @@
+package uk.gov.hmcts.reform.civil.service;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+import uk.gov.hmcts.reform.authorisation.ServiceAuthorisationApi;
+import uk.gov.hmcts.reform.idam.client.IdamClient;
+import uk.gov.hmcts.reform.idam.client.models.UserInfo;
+
+import java.util.List;
+
+@Service
+@Slf4j
+@RequiredArgsConstructor(onConstructor = @__(@Autowired))
+public class AuthorisationService {
+
+    private final ServiceAuthorisationApi serviceAuthorisationApi;
+
+    @Value("${civil.authorised-services}")
+    private List<String> s2sAuthorisedServices;
+
+    private final IdamClient idamClient;
+
+    private UserInfo userInfo;
+
+    public Boolean authoriseService(String serviceAuthHeader) {
+        String callingService;
+        try {
+            String bearerJwt = serviceAuthHeader.startsWith("Bearer ") ? serviceAuthHeader : "Bearer " + serviceAuthHeader;
+            callingService = serviceAuthorisationApi.getServiceName(bearerJwt);
+            log.info("Calling Service... {}", callingService);
+            return (callingService != null && s2sAuthorisedServices.contains(callingService));
+        } catch (Exception ex) {
+            //do nothing
+            log.error("S2S token is not authorised" + ex);
+        }
+        return false;
+    }
+
+    public Boolean authoriseUser(String authorisation) {
+        try {
+            userInfo = idamClient.getUserInfo(authorisation);
+            return (null != userInfo);
+        } catch (Exception ex) {
+            //do nothing
+            log.error("User token is invalid");
+        }
+        return false;
+    }
+
+    public UserInfo getUserInfo() {
+        return this.userInfo;
+    }
+
+    public boolean isServiceAndUserAuthorized(String authorisation, String s2sToken) {
+        return Boolean.TRUE.equals(authoriseUser(authorisation))
+            && Boolean.TRUE.equals(authoriseService(s2sToken));
+    }
+
+    public boolean isServiceAuthorized(String s2sToken) {
+        return Boolean.TRUE.equals(authoriseService(s2sToken));
+    }
+}
@@ -129,6 +129,7 @@ idam:
   s2s-auth:
     microservice: civil_service
 
+
 document_management:
   userRoles: "caseworker-civil,caseworker-civil-solicitor"
   secured: ${DOCUMENT_MANAGEMENT_SECURED:true}
@@ -158,6 +159,7 @@ civil:
   test-user:
     username: ${TEST_USERNAME:[email protected]}
     password: ${TEST_PASSWORD:Password12!}
+  authorised-services: ${CIVIL_S2S_AUTHORISED_SERVICES:payment_app,ccd_data,civil_service,civil-citizen-ui}
 
 core_case_data:
   api: