hmcts · vasudevganesanhmcts · Nov 24, 2023 · Jul 17, 2023 · Jul 18, 2023 · Jul 19, 2023
diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP
@@ -8,7 +8,7 @@ import uk.gov.hmcts.contino.GithubAPI
 def type = "java"
 def product = "civil"
 def component = "service"
-def ccdBranch = "master"
+def ccdBranch = "CIV-0000-adds2stoken"
 def camundaBranch = "master"
 def yarnBuilder = new uk.gov.hmcts.contino.YarnBuilder(this)
 

diff --git a/build.gradle b/build.gradle
@@ -396,7 +396,7 @@ dependencies {
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign'
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-openfeign-core'
   implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.1.0'
-  implementation group: 'uk.gov.hmcts.reform', name: 'service-auth-provider-client', version: '4.0.0'
+  implementation group: 'uk.gov.hmcts.reform', name: 'service-auth-provider-client', version: '4.0.3'
 
   implementation group: 'io.github.openfeign', name: 'feign-httpclient', version: '12.4'
   implementation group: 'org.springframework.retry', name: 'spring-retry'

diff --git a/charts/civil-service/Chart.yaml b/charts/civil-service/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 description: A Helm chart for civil-service App
 name: civil-service
 home: https://github.com/hmcts/civil-service
-version: 0.0.52
+version: 0.0.53
 maintainers:
   - name: HMCTS Civil team
 

@@ -74,6 +74,7 @@ java:
     ASYNC_HANDLER_CORE_POOL_SIZE: 7
     ASYNC_HANDLER_MAX_POOL_SIZE: 42
     ASYNC_HANDLER_QUEUE_CAPACITY: 10
+    CIVIL_S2S_AUTHORISED_SERVICES: payment_app,ccd_data,civil_service,civil-citizen-ui
 
   keyVaults:
     civil:

@@ -22,8 +22,10 @@
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import uk.gov.hmcts.reform.authorisation.ServiceAuthorisationApi;
 import uk.gov.hmcts.reform.civil.Application;
 import uk.gov.hmcts.reform.civil.TestIdamConfiguration;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.UserService;
 import uk.gov.hmcts.reform.idam.client.models.UserInfo;
 
@@ -61,6 +63,9 @@ public abstract class BaseIntegrationTest {
         .roles(of("caseworker-civil-solicitor"))
         .build();
 
+    private static final String s2sToken = "s2s AuthToken";
+    @MockBean
+    private ServiceAuthorisationApi serviceAuthorisationApi;
     @MockBean
     protected UserService userService;
     @MockBean
@@ -69,6 +74,8 @@ public abstract class BaseIntegrationTest {
     protected SecurityContext securityContext;
     @MockBean
     protected JwtDecoder jwtDecoder;
+    @MockBean
+    public AuthorisationService authorisationService;
 
     @Autowired
     protected ObjectMapper objectMapper;
@@ -78,11 +85,13 @@ public abstract class BaseIntegrationTest {
 
     @BeforeEach
     public void setUpBase() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         when(userService.getAccessToken(any(), any())).thenReturn("arbitrary access token");
         when(userService.getUserInfo(anyString())).thenReturn(USER_INFO);
         when(securityContext.getAuthentication()).thenReturn(authentication);
         SecurityContextHolder.setContext(securityContext);
         setSecurityAuthorities(authentication);
+        when(serviceAuthorisationApi.getServiceName(any())).thenReturn("payment_app");
         when(jwtDecoder.decode(anyString())).thenReturn(getJwt());
     }
 

@@ -4,6 +4,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -22,6 +23,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
@@ -31,6 +33,7 @@ class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
     private static final String PAID = "Paid";
     private static final String REFERENCE = "reference";
     private static final String ACCOUNT_NUMBER = "123445555";
+    private static final String s2sToken = "s2s AuthToken";
 
     @MockBean
     CoreCaseDataApi coreCaseDataApi;
@@ -40,6 +43,7 @@ class ServiceRequestUpdateCallbackControllerTest extends BaseIntegrationTest {
 
     @BeforeEach
     void bareMinimumToMakeAPositiveRequest() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         CaseData caseData = CaseData.builder().businessProcess(BusinessProcess.builder().processInstanceId("instance").camundaEvent("camunda event").build()).build();
         CaseDetails caseDetails = CaseDetails.builder().build();
         caseDetails.setData(caseData.toMap(objectMapper));
@@ -51,6 +55,30 @@ void bareMinimumToMakeAPositiveRequest() {
         given(coreCaseDataApi.submitEventForCaseWorker(any(), any(), any(), any(), any(), any(), anyBoolean(), any())).willReturn(caseDetails);
     }
 
+    @Test
+    public void whenValidPaymentCallbackIsReceivedReturnSuccess() throws Exception {
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            .andExpect(status().isOk());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithoutServiceAuthorisationReturn400() throws Exception {
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithServiceAuthorisationButreturnsfalseReturn400() throws Exception {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(false);
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .header("ServiceAuthorization", s2sToken)
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is5xxServerError());
+    }
+
     @Test
     public void whenInvalidTypeOfRequestMade_ReturnMethodNotAllowed() throws Exception {
 
@@ -96,6 +124,8 @@ private ServiceRequestUpdateDto buildServiceDto() {
     protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.put(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }
@@ -104,6 +134,8 @@ protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVa
     protected <T> ResultActions doPost(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.post(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }

@@ -4,6 +4,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -22,6 +23,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrationTest {
@@ -31,7 +33,6 @@ class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrat
     private static final String PAID = "Paid";
     private static final String REFERENCE = "reference";
     private static final String ACCOUNT_NUMBER = "123445555";
-
     @MockBean
     CoreCaseDataApi coreCaseDataApi;
 
@@ -40,6 +41,7 @@ class ServiceRequestUpdateClaimIssuedCallbackControllerTest extends BaseIntegrat
 
     @BeforeEach
     void bareMinimumToMakeAPositiveRequest() {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(true);
         CaseData
             caseData = CaseData.builder().businessProcess(BusinessProcess.builder().processInstanceId("instance").camundaEvent("camunda event").build()).build();
         CaseDetails caseDetails = CaseDetails.builder().build();
@@ -77,6 +79,30 @@ public void whenServiceRequestUpdateRequestButUnexpectedErrorOccurs_thenHttp5xx(
             .andExpect(status().is5xxServerError());
     }
 
+    @Test
+    public void whenValidPaymentCallbackIsReceivedReturnSuccess() throws Exception {
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            .andExpect(status().isOk());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithoutServiceAuthorisationReturn400() throws Exception {
+        mockMvc.perform(
+            MockMvcRequestBuilders.put(PAYMENT_CALLBACK_URL, "")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(toJson(buildServiceDto()))).andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    public void whenPaymentCallbackIsReceivedWithServiceAuthorisationButreturnsfalseReturn400() throws Exception {
+        when(authorisationService.isServiceAuthorized(any())).thenReturn(false);
+
+        doPut(buildServiceDto(), PAYMENT_CALLBACK_URL, "")
+            // Then: the result status must be an HTTP-4xx
+            .andExpect(status().is5xxServerError());
+
+    }
+
     private ServiceRequestUpdateDto buildServiceDto() {
         return ServiceRequestUpdateDto.builder()
             .ccdCaseNumber(CCD_CASE_NUMBER)
@@ -94,6 +120,8 @@ private ServiceRequestUpdateDto buildServiceDto() {
     protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.put(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }
@@ -102,6 +130,8 @@ protected <T> ResultActions doPut(T content, String urlTemplate, Object... uriVa
     protected <T> ResultActions doPost(T content, String urlTemplate, Object... uriVars) {
         return mockMvc.perform(
             MockMvcRequestBuilders.post(urlTemplate, uriVars)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_TOKEN)
+                .header("ServiceAuthorization", "s2s AuthToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(toJson(content)));
     }

diff --git a/src/main/java/uk/gov/hmcts/reform/civil/config/SecurityConfiguration.java b/src/main/java/uk/gov/hmcts/reform/civil/config/SecurityConfiguration.java
@@ -49,9 +49,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
         "/",
         "/loggers/**",
         "/assignment/**",
+        "/case/document/**",
         "/service-request-update",
-        "/service-request-update-claim-issued",
-        "/case/document/**"
     };
 
     @Value("${spring.security.oauth2.client.provider.oidc.issuer-uri}")

@@ -7,10 +7,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RestController;
 import uk.gov.hmcts.reform.civil.enums.FeeType;
 import uk.gov.hmcts.reform.civil.exceptions.InternalServerErrorException;
 import uk.gov.hmcts.reform.civil.model.ServiceRequestUpdateDto;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.PaymentRequestUpdateCallbackService;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
@@ -22,16 +24,24 @@ public class ServiceRequestUpdateCallbackController {
 
     private final PaymentRequestUpdateCallbackService requestUpdateCallbackService;
 
+    private final AuthorisationService authorisationService;
+
     @PutMapping(path = "/service-request-update", consumes = APPLICATION_JSON, produces = APPLICATION_JSON)
     @Operation(summary = "Ways to pay will call this API and send the status of payment with other details")
     @ApiResponses(value = {
         @ApiResponse(responseCode = "200", description = "Callback processed."),
         @ApiResponse(responseCode = "400", description = "Bad Request"),
         @ApiResponse(responseCode = "500", description = "Internal Server Error")
     })
-    public void serviceRequestUpdate(@RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
+    public void serviceRequestUpdate(
+        @RequestHeader("ServiceAuthorization") String s2sToken,
+        @RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
         try {
-            requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.HEARING.name());
+            if (authorisationService.isServiceAuthorized(s2sToken)) {
+                requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.HEARING.name());
+            } else {
+                throw (new RuntimeException("Invalid Client"));
+            }
         } catch (Exception ex) {
             log.error(
                 "Payment callback is unsuccessful for the CaseID: {}",

@@ -7,10 +7,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RestController;
 import uk.gov.hmcts.reform.civil.enums.FeeType;
 import uk.gov.hmcts.reform.civil.exceptions.InternalServerErrorException;
 import uk.gov.hmcts.reform.civil.model.ServiceRequestUpdateDto;
+import uk.gov.hmcts.reform.civil.service.AuthorisationService;
 import uk.gov.hmcts.reform.civil.service.PaymentRequestUpdateCallbackService;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
@@ -22,14 +24,21 @@ public class ServiceRequestUpdateClaimIssuedCallbackController {
 
     private final PaymentRequestUpdateCallbackService requestUpdateCallbackService;
 
+    private final AuthorisationService authorisationService;
+
     @PutMapping(path = "/service-request-update-claim-issued", consumes = APPLICATION_JSON, produces = APPLICATION_JSON)
     @Operation(summary = "Ways to pay will call this API and send the status of payment with other details")
     @ApiResponses(value = {
         @ApiResponse(responseCode = "200", description = "Callback processed."),
         @ApiResponse(responseCode = "400", description = "Bad Request")})
-    public void serviceRequestUpdate(@RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
+    public void serviceRequestUpdate(@RequestHeader("ServiceAuthorization") String s2sToken,
+                                     @RequestBody ServiceRequestUpdateDto serviceRequestUpdateDto) {
         try {
-            requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.CLAIMISSUED.name());
+            if (authorisationService.isServiceAuthorized(s2sToken)) {
+                requestUpdateCallbackService.processCallback(serviceRequestUpdateDto, FeeType.CLAIMISSUED.name());
+            } else {
+                throw (new RuntimeException("Invalid Client"));
+            }
         } catch (Exception ex) {
             log.error(
                 "Payment callback is unsuccessful for the CaseID: {}",