PUB-2681 - Updated System Admin

Author: ChrisS1512

build.gradle

@@ -221,7 +221,7 @@ dependencies {
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.9'
   implementation group: 'commons-validator', name: 'commons-validator', version: '1.9.0'
 
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.32', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.34', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
   implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.3'

src/main/java/uk/gov/hmcts/reform/pip/account/management/controllers/SystemAdminB2CAccountController.java

@@ -5,6 +5,7 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -48,6 +49,7 @@ public SystemAdminB2CAccountController(SystemAdminB2CAccountService systemAdminB
     @ApiResponse(responseCode = OK_CODE, description = PI_USER)
     @ApiResponse(responseCode = BAD_REQUEST_CODE, description = "{ErroredSystemAdminAccount}")
     @PostMapping("/add/system-admin")
+    @PreAuthorize("@authorisationService.userCanCreateSystemAdmin(#issuerId)")
     public ResponseEntity<? extends PiUser> createSystemAdminAccount(//NOSONAR
         @RequestHeader(ISSUER_ID) String issuerId, @RequestBody SystemAdminAccount account) {
         return ResponseEntity.ok(systemAdminB2CAccountService.addSystemAdminAccount(account, issuerId));

src/main/java/uk/gov/hmcts/reform/pip/account/management/service/AuthorisationService.java

@@ -10,6 +10,7 @@
 import uk.gov.hmcts.reform.pip.model.account.UserProvenances;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
 import static uk.gov.hmcts.reform.pip.model.LogBuilder.writeLog;
@@ -70,6 +71,18 @@ public boolean userCanUpdateAccount(UUID userId, UUID adminUserId) {
         return isAuthorised;
     }
 
+    public boolean userCanCreateSystemAdmin(UUID userId) {
+        Optional<PiUser> adminUser = userRepository.findByUserId(userId);
+        boolean isSystemAdmin = adminUser.isPresent() && adminUser.get().getRoles().equals(Roles.SYSTEM_ADMIN);
+
+        if (!isSystemAdmin) {
+            log.error(writeLog(
+                String.format("User with ID %s is forbidden to create a B2C system admin", userId)
+            ));
+        }
+        return isSystemAdmin;
+    }
+
     private boolean isAuthorisedRole(UUID userId, UUID adminUserId) {
         PiUser user = getUser(userId);
         if (UserProvenances.SSO.equals(user.getUserProvenance())) {

src/main/java/uk/gov/hmcts/reform/pip/account/management/service/SystemAdminB2CAccountService.java

@@ -38,20 +38,20 @@ public class SystemAdminB2CAccountService {
     private final AzureUserService azureUserService;
     private final UserRepository userRepository;
     private final PublicationService publicationService;
-    private final AzureAccountService azureAccountService;
+    private final AccountService accountService;
     private final Integer maxSystemAdminValue;
 
     @Autowired
     public SystemAdminB2CAccountService(Validator validator, AzureUserService azureUserService,
                                         UserRepository userRepository, PublicationService publicationService,
                                         @Value("${admin.max-system-admin}")Integer maxSystemAdminValue,
-                                        AzureAccountService azureAccountService) {
+                                        AccountService accountService) {
         this.validator = validator;
         this.azureUserService = azureUserService;
         this.userRepository = userRepository;
         this.publicationService = publicationService;
         this.maxSystemAdminValue = maxSystemAdminValue;
-        this.azureAccountService = azureAccountService;
+        this.accountService = accountService;
     }
 
     /**
@@ -61,18 +61,12 @@ public SystemAdminB2CAccountService(Validator validator, AzureUserService azureU
      * @return  The PiUser of the created system admin account.
      */
     public PiUser addSystemAdminAccount(SystemAdminAccount account, String issuerId) {
-
-        String displayName = "";
-        String provenanceUserId = verifyAdminUser(issuerId);
-        if (!provenanceUserId.isEmpty()) {
-            displayName = azureAccountService.retrieveAzureAccount(provenanceUserId).getDisplayName();
-        }
-
-        validateSystemAdminAccount(account, issuerId, displayName);
+        PiUser piUser = accountService.getUserById(UUID.fromString(issuerId));
+        validateSystemAdminAccount(account, issuerId, piUser.getEmail());
         try {
             User user = azureUserService.createUser(account.convertToAzureAccount(), false);
             PiUser createdUser = userRepository.save(account.convertToPiUser(user.getId()));
-            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.SUCCEEDED, displayName);
+            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.SUCCEEDED, piUser.getEmail());
 
             publicationService.sendNotificationEmail(
                 account.getEmail(),
@@ -83,19 +77,20 @@ public PiUser addSystemAdminAccount(SystemAdminAccount account, String issuerId)
         } catch (AzureCustomException e) {
             ErroredSystemAdminAccount erroredSystemAdminAccount = new ErroredSystemAdminAccount(account);
             erroredSystemAdminAccount.setErrorMessages(List.of(e.getLocalizedMessage()));
-            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, displayName);
+            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, piUser.getEmail());
             throw new SystemAdminAccountException(erroredSystemAdminAccount);
         }
+
     }
 
     /**
      * This method handles the logging and publishing that a new system admin account has been created.
      * @param systemAdminAccount The system admin account that has been created
      * @param adminId The ID of the admin user who is creating the account.
-     * @param name The name of the admin user who is creating the account
+     * @param email The email of the admin user who is creating the account
      */
     public void handleNewSystemAdminAccountAction(SystemAdminAccount systemAdminAccount, String adminId,
-                                                  ActionResult result, String name) {
+                                                  ActionResult result, String email) {
         log.info(writeLog(UUID.fromString(adminId),
                           "has attempted to create a System Admin account, which has: " + result.toString()));
 
@@ -105,7 +100,7 @@ public void handleNewSystemAdminAccountAction(SystemAdminAccount systemAdminAcco
         CreateSystemAdminAction createSystemAdminAction = new CreateSystemAdminAction();
         createSystemAdminAction.setAccountEmail(systemAdminAccount.getEmail());
         createSystemAdminAction.setEmailList(existingAdminEmails);
-        createSystemAdminAction.setRequesterName(name);
+        createSystemAdminAction.setRequesterEmail(email);
         createSystemAdminAction.setActionResult(result);
 
         publicationService.sendSystemAdminAccountAction(createSystemAdminAction);
@@ -115,9 +110,9 @@ public void handleNewSystemAdminAccountAction(SystemAdminAccount systemAdminAcco
      * A helper method which specifically handles validation failures on the system admin account.
      * @param account The system admin account to validate.
      * @param issuerId The ID of the admin user that is issuing the account.
-     * @param name The name of the admin user requesting the account.
+     * @param email The email of the admin user requesting the account.
      */
-    private void validateSystemAdminAccount(SystemAdminAccount account, String issuerId, String name) {
+    private void validateSystemAdminAccount(SystemAdminAccount account, String issuerId, String email) {
         Set<ConstraintViolation<SystemAdminAccount>> constraintViolationSet = validator.validate(account);
 
         if (!constraintViolationSet.isEmpty()) {
@@ -126,14 +121,14 @@ private void validateSystemAdminAccount(SystemAdminAccount account, String issue
                                                            .stream().map(constraint -> constraint.getPropertyPath()
                     + ": " + constraint.getMessage()).toList());
 
-            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, name);
+            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, email);
             throw new SystemAdminAccountException(erroredSystemAdminAccount);
         }
 
         if (userRepository.findByEmailAndUserProvenance(account.getEmail(), UserProvenances.PI_AAD).isPresent()) {
             ErroredSystemAdminAccount erroredSystemAdminAccount = new ErroredSystemAdminAccount(account);
             erroredSystemAdminAccount.setDuplicate(true);
-            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, name);
+            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.FAILED, email);
             throw new SystemAdminAccountException(erroredSystemAdminAccount);
         }
 
@@ -144,22 +139,8 @@ private void validateSystemAdminAccount(SystemAdminAccount account, String issue
         if (systemAdminUsers.size() >= maxSystemAdminValue) {
             ErroredSystemAdminAccount erroredSystemAdminAccount = new ErroredSystemAdminAccount(account);
             erroredSystemAdminAccount.setAboveMaxSystemAdmin(true);
-            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.ATTEMPTED, name);
+            handleNewSystemAdminAccountAction(account, issuerId, ActionResult.ATTEMPTED, email);
             throw new SystemAdminAccountException(erroredSystemAdminAccount);
         }
     }
-
-    /**
-     * Method to find whether user is SYSTEM_ADMIN or not.
-     * @param issuerId The ID of the admin user
-     * @return Boolean user is SYSTEM_ADMIN or not
-     */
-    private String verifyAdminUser(String issuerId) {
-        Optional<PiUser> adminUser = userRepository.findByUserId(UUID.fromString(issuerId));
-        if (adminUser.isPresent() && adminUser.get().getRoles().equals(Roles.SYSTEM_ADMIN)) {
-            return adminUser.get().getProvenanceUserId();
-        }
-
-        return "";
-    }
 }