PUB-2300 Add security to Swagger API (#416)

* Add security to Swagger API * Removed unused import * Revert "PUB-2279 - Fixed code smells (#401)" This reverts commit 97eadab. * Revert "Revert "PUB-2279 - Fixed code smells (#401)"" This reverts commit a67ffb2. * Revert accidental commit * Revert accidental commit * Revert spelling change * Update suppressions * Removed suppression * Update APIM api-swagger to have security on the health endpoint * Use bearerAuth --------- Co-authored-by: ChrisS1512 <[email protected]>
hmcts · Feb 21, 2024 · a39fa23 · a39fa23
1 parent 80850f5
commit a39fa23
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 14 deletions.
diff --git a/infrastructure/resources/swagger/api-swagger.json b/infrastructure/resources/swagger/api-swagger.json
@@ -19,6 +19,11 @@
       "description": "Generated server url"
     }
   ],
+  "security": [
+    {
+      "bearerAuth": []
+    }
+  ],
   "paths": {
     "/notify/otp": {
       "post": {
@@ -58,6 +63,16 @@
               }
             }
           },
+          "401": {
+            "description": "Invalid access credential",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
           "403": {
             "description": "User has not been authorised",
             "content": {
@@ -88,6 +103,26 @@
                 }
               }
             }
+          },
+          "401": {
+            "description": "Invalid access credential",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "User has not been authorised",
+            "content": {
+              "*/*": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
           }
         }
       }
@@ -106,6 +141,14 @@
           }
         }
       }
+    },
+    "securitySchemes": {
+      "bearerAuth": {
+        "type": "http",
+        "in": "header",
+        "scheme": "bearer",
+        "bearerFormat": "JWT"
+      }
     }
   }
 }
diff --git a/src/main/java/uk/gov/hmcts/reform/pip/publication/services/config/OpenApiConfiguration.java b/src/main/java/uk/gov/hmcts/reform/pip/publication/services/config/OpenApiConfiguration.java
@@ -1,13 +1,18 @@
 package uk.gov.hmcts.reform.pip.publication.services.config;
 
+import io.swagger.v3.oas.annotations.security.SecurityScheme;
 import io.swagger.v3.oas.models.ExternalDocumentation;
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Info;
 import io.swagger.v3.oas.models.info.License;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import static io.swagger.v3.oas.annotations.enums.SecuritySchemeIn.HEADER;
+import static io.swagger.v3.oas.annotations.enums.SecuritySchemeType.HTTP;
+
 @Configuration
+@SecurityScheme(name = "bearerAuth", type = HTTP, scheme = "bearer", bearerFormat = "JWT", in = HEADER)
 public class OpenApiConfiguration {
 
     @Bean

diff --git a/...a/uk/gov/hmcts/reform/pip/publication/services/controllers/B2cNotificationController.java b/...a/uk/gov/hmcts/reform/pip/publication/services/controllers/B2cNotificationController.java
@@ -2,6 +2,7 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -18,6 +19,7 @@
 @Tag(name = "Publication Services notification API for B2C")
 @RequestMapping("/notify")
 @IsB2C
+@SecurityRequirement(name = "bearerAuth")
 public class B2cNotificationController {
     private final UserNotificationService userNotificationService;
 
@@ -28,6 +30,7 @@ public B2cNotificationController(UserNotificationService userNotificationService
 
     @ApiResponse(responseCode = "200", description = "OTP email successfully sent with referenceId: {Id}")
     @ApiResponse(responseCode = "400", description = "NotifyException error message")
+    @ApiResponse(responseCode = "401", description = "Invalid access credential")
     @ApiResponse(responseCode = "403", description = "User has not been authorized")
     @Operation(summary = "Send email containing B2C one-time password")
     @PostMapping("/otp")

diff --git a/...java/uk/gov/hmcts/reform/pip/publication/services/controllers/NotificationController.java b/...java/uk/gov/hmcts/reform/pip/publication/services/controllers/NotificationController.java
@@ -2,6 +2,7 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -34,7 +35,10 @@
 @RestController
 @Tag(name = "Publication Services notification API")
 @RequestMapping("/notify")
+@ApiResponse(responseCode = "401", description = "Invalid access credential")
+@ApiResponse(responseCode = "403", description = "User has not been authorized")
 @IsAdmin
+@SecurityRequirement(name = "bearerAuth")
 @SuppressWarnings("PMD.TooManyMethods")
 public class NotificationController {
 
@@ -48,10 +52,8 @@ public class NotificationController {
 
     private static final String BAD_PAYLOAD_ERROR_MESSAGE = "BadPayloadException error message";
     private static final String NOTIFY_EXCEPTION_ERROR_MESSAGE = "NotifyException error message";
-    private static final String NOT_AUTHORIZED_MESSAGE = "User has not been authorized";
 
     private static final String OK_RESPONSE = "200";
-    private static final String AUTH_RESPONSE = "403";
     private static final String BAD_REQUEST = "400";
 
     @Autowired
@@ -74,7 +76,6 @@ public NotificationController(NotificationService notificationService,
         + "sent with referenceId abc123-123-432-4456")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send welcome email to new or existing subscribed users",
         description = "Use the bool isExisting as 'false' to send new user emails or 'true' to "
             + "send existing user emails ")
@@ -90,7 +91,6 @@ public ResponseEntity<String> sendWelcomeEmail(@RequestBody WelcomeEmail body) {
         + "successfully sent with referenceId {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send welcome email to new Azure Active Directory (AAD) user.")
     @PostMapping("/created/admin")
     public ResponseEntity<String> sendAdminAccountWelcomeEmail(@RequestBody CreatedAdminWelcomeEmail body) {
@@ -105,7 +105,6 @@ public ResponseEntity<String> sendAdminAccountWelcomeEmail(@RequestBody CreatedA
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = "CsvCreationException error message")
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send the media application report to the P&I team")
     @PostMapping("/media/report")
     public ResponseEntity<String> sendMediaReportingEmail(@RequestBody List<MediaApplication> mediaApplicationList) {
@@ -132,7 +131,6 @@ public ResponseEntity<String> sendSubscriptionEmail(@Valid @RequestBody Subscrip
         + "successfully sent with referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send the unidentified blob report to the P&I team")
     @PostMapping("/unidentified-blob")
     public ResponseEntity<String> sendUnidentifiedBlobEmail(@RequestBody List<NoMatchArtefact> noMatchArtefactList) {
@@ -146,7 +144,6 @@ public ResponseEntity<String> sendUnidentifiedBlobEmail(@RequestBody List<NoMatc
         + "successfully sent with referenceId {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send duplicate email to new media account user.")
     @PostMapping("/duplicate/media")
     public ResponseEntity<String> sendDuplicateMediaAccountEmail(@RequestBody DuplicatedMediaEmail body) {
@@ -165,7 +162,6 @@ public ResponseEntity<String> sendThirdPartySubscription(@Valid @RequestBody Thi
     }
 
     @ApiResponse(responseCode = OK_RESPONSE, description = "Successfully sent empty list to {thirdParty} at: {api}")
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send empty list to third party after being deleted from P&I")
     @PutMapping("/api")
     public ResponseEntity<String> notifyThirdPartyForArtefactDeletion(
@@ -177,7 +173,6 @@ public ResponseEntity<String> notifyThirdPartyForArtefactDeletion(
         + "sent with referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send a media user a verification email")
     @PostMapping("/media/verification")
     public ResponseEntity<String> sendMediaUserVerificationEmail(@RequestBody MediaVerificationEmail body) {
@@ -191,7 +186,6 @@ public ResponseEntity<String> sendMediaUserVerificationEmail(@RequestBody MediaV
         + "sent with referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send a media applicant a rejection email")
     @PostMapping("/media/reject")
     public ResponseEntity<String> sendMediaUserRejectionEmail(@RequestBody MediaRejectionEmail body) {
@@ -205,7 +199,6 @@ public ResponseEntity<String> sendMediaUserRejectionEmail(@RequestBody MediaReje
         + "successfully sent with referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send notification email to inactive users to remind them to sign in")
     @PostMapping("/user/sign-in")
     public ResponseEntity<String> sendNotificationToInactiveUsers(@RequestBody InactiveUserNotificationEmail body) {
@@ -218,7 +211,6 @@ public ResponseEntity<String> sendNotificationToInactiveUsers(@RequestBody Inact
     @ApiResponse(responseCode = OK_RESPONSE, description = "MI data reporting email successfully sent with "
         + "referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send email with MI report")
     @PostMapping("/mi/report")
     public ResponseEntity<String> sendMiReportingEmail() {
@@ -230,7 +222,6 @@ public ResponseEntity<String> sendMiReportingEmail() {
 
     @ApiResponse(responseCode = OK_RESPONSE, description = "System Admin user email notification")
     @ApiResponse(responseCode = BAD_REQUEST, description = BAD_PAYLOAD_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send notification email to system admin about update")
     @PostMapping("/sysadmin/update")
     public ResponseEntity<String> sendSystemAdminUpdate(@RequestBody SystemAdminAction body) {
@@ -243,7 +234,6 @@ public ResponseEntity<String> sendSystemAdminUpdate(@RequestBody SystemAdminActi
     @ApiResponse(responseCode = OK_RESPONSE, description = "Location subscription email "
         + "successfully sent with referenceId: {Id}")
     @ApiResponse(responseCode = BAD_REQUEST, description = NOTIFY_EXCEPTION_ERROR_MESSAGE)
-    @ApiResponse(responseCode = AUTH_RESPONSE, description = NOT_AUTHORIZED_MESSAGE)
     @Operation(summary = "Send the location subscription deletion email to all the subscribers")
     @PostMapping("/location-subscription-delete")
     public ResponseEntity<String> sendDeleteLocationSubscriptionEmail(