Fixed merge conflicts

build.gradle

@@ -221,7 +221,7 @@ dependencies {
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.9'
   implementation group: 'commons-validator', name: 'commons-validator', version: '1.9.0'
 
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.32', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.34', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
   implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.3'

src/functionalTest/java/uk/gov/hmcts/reform/pip/account/management/controllers/SystemAdminB2CAccountCreationTest.java

@@ -1,59 +1,62 @@
 package uk.gov.hmcts.reform.pip.account.management.controllers;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.github.dockerjava.zerodep.shaded.org.apache.hc.core5.http.HttpHeaders;
 import io.restassured.response.Response;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
 import uk.gov.hmcts.reform.pip.account.management.utils.AccountHelperBase;
+import uk.gov.hmcts.reform.pip.model.account.PiUser;
 
 import java.util.Map;
 import java.util.UUID;
-import java.util.concurrent.ThreadLocalRandom;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 
 class SystemAdminB2CAccountCreationTest extends AccountHelperBase {
-    private static final String TEST_USER_EMAIL_PREFIX_1 = String.format(
-        "pip-am-test-email-%s", ThreadLocalRandom.current().nextInt(1000, 9999));
-    private static final String TEST_USER_EMAIL_PREFIX_2 = String.format(
-        "pip-am-test-email-%s", ThreadLocalRandom.current().nextInt(1000, 9999));
-    private static final String TEST_USER_EMAIL_1 = TEST_USER_EMAIL_PREFIX_1 + "@justice.gov.uk";
-    private static final String TEST_USER_EMAIL_2 = TEST_USER_EMAIL_PREFIX_2 + "@justice.gov.uk";
-    private static final String TEST_USER_PROVENANCE_ID = UUID.randomUUID().toString();
-    private static final String USER_ID = UUID.randomUUID().toString();
-
     private static final String ACCOUNT_URL = "/account";
     private static final String SYSTEM_ADMIN_B2C_URL = ACCOUNT_URL + "/add/system-admin";
 
     private Map<String, String> issuerId;
+    private String testEmail;
+    private String testProvenanceUserId;
 
     @BeforeAll
-    public void startUp() {
+    public void startUp() throws JsonProcessingException {
         bearer = Map.of(HttpHeaders.AUTHORIZATION, BEARER + accessToken);
-        issuerId = Map.of(ISSUER_ID, USER_ID);
+
+        PiUser piUser = createSystemAdminAccount();
+        issuerId = Map.of(ISSUER_ID, piUser.getUserId());
+    }
+
+    @BeforeEach
+    public void setupTest() {
+        testEmail = generateEmail();
+        testProvenanceUserId = UUID.randomUUID().toString();
     }
 
     @AfterAll
     public void teardown() {
-        doDeleteRequest(TESTING_SUPPORT_DELETE_ACCOUNT_URL + TEST_USER_EMAIL_1, bearer);
-        doDeleteRequest(TESTING_SUPPORT_DELETE_ACCOUNT_URL + TEST_USER_EMAIL_2, bearer);
+        doDeleteRequest(TESTING_SUPPORT_DELETE_ACCOUNT_URL + TEST_EMAIL_PREFIX, bearer);
     }
 
     @Test
     void createSystemAdminB2CAccount() {
+
         String requestBody = """
             {
                 "email": "%s",
                 "provenanceUserId": "%s"
             }
-            """.formatted(TEST_USER_EMAIL_1, TEST_USER_PROVENANCE_ID);
+            """.formatted(testEmail, testProvenanceUserId);
 
         Response response = doPostRequestForB2C(SYSTEM_ADMIN_B2C_URL, bearer, issuerId, requestBody);
 
         assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK.value());
-        assertThat(response.jsonPath().getString("email")).isEqualTo(TEST_USER_EMAIL_1);
+        assertThat(response.jsonPath().getString("email")).isEqualTo(testEmail);
         assertThat(response.jsonPath().getString("provenanceUserId")).isNotNull();
     }
 
@@ -63,12 +66,12 @@ void shouldCreateSystemAdminB2CAccountWithoutProvenanceUserId() {
             {
                 "email": "%s"
             }
-            """.formatted(TEST_USER_EMAIL_2);
+            """.formatted(testEmail);
 
         Response response = doPostRequestForB2C(SYSTEM_ADMIN_B2C_URL, bearer, issuerId, requestBody);
 
         assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK.value());
-        assertThat(response.jsonPath().getString("email")).isEqualTo(TEST_USER_EMAIL_2);
+        assertThat(response.jsonPath().getString("email")).isEqualTo(testEmail);
         assertThat(response.jsonPath().getString("provenanceUserId")).isNotNull();
     }
 
@@ -78,7 +81,7 @@ void shouldFailToCreateSystemAdminB2CAccountWithoutEmail() {
             {
                 "provenanceUserId": "%s"
             }
-            """.formatted(TEST_USER_PROVENANCE_ID);
+            """.formatted(testProvenanceUserId);
 
         Response response = doPostRequestForB2C(SYSTEM_ADMIN_B2C_URL, bearer, issuerId, requestBody);
 
@@ -92,7 +95,7 @@ void shouldFailToCreateSystemAdminB2CAccountWithoutIssuerId() {
                 "email": "%s",
                 "provenanceUserId": "%s"
             }
-            """.formatted(TEST_USER_EMAIL_1, TEST_USER_PROVENANCE_ID);
+            """.formatted(testEmail, testProvenanceUserId);
 
         Response response = doPostRequest(SYSTEM_ADMIN_B2C_URL, bearer, requestBody);
 

src/integrationTest/java/uk/gov/hmcts/reform/pip/account/management/controllers/AccountTest.java

@@ -119,6 +119,7 @@ class AccountTest {
     private static final String FORBIDDEN_STATUS_CODE = "Status code does not match forbidden";
     private static final String DELETE_USER_FAILURE = "Failed to delete user account";
     private static final String DELETE_USER_SUCCESS = "User deleted";
+    private static final String ADD_USERS_SCRIPT = "classpath:add-admin-users.sql";
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
@@ -610,6 +611,7 @@ void testDeleteAccountNotFound() throws Exception {
     }
 
     @Test
+    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = ADD_USERS_SCRIPT)
     void testV2SystemAdminDeletesVerifiedUser() throws Exception {
         validUser.setUserProvenance(UserProvenances.CFT_IDAM);
         validUser.setRoles(Roles.VERIFIED);
@@ -643,7 +645,7 @@ void testV2SystemAdminDeletesVerifiedUser() throws Exception {
     }
 
     @Test
-    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:add-admin-users.sql")
+    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = ADD_USERS_SCRIPT)
     void testV2SystemAdminDeletesThirdPartyUser() throws Exception {
 
         PiUser thirdPartyUser = createThirdPartyUser();
@@ -675,6 +677,7 @@ void testV2SystemAdminDeletesThirdPartyUser() throws Exception {
     }
 
     @Test
+    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = ADD_USERS_SCRIPT)
     void testV2SystemAdminDeletesSuperAdminUser() throws Exception {
         superAdminUser.setUserProvenance(UserProvenances.CFT_IDAM);
         String superAdminUserId = getSuperAdminUserId(superAdminUser);
@@ -895,7 +898,7 @@ void testUpdateAccountRoleByIdNotFound() throws Exception {
     }
 
     @Test
-    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:add-admin-users.sql")
+    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = ADD_USERS_SCRIPT)
     void testCreateThirdPartyUser() throws Exception {
         PiUser thirdPartyUser = createThirdPartyUser();
         MockHttpServletRequestBuilder mockHttpServletRequestBuilder = MockMvcRequestBuilders
@@ -918,7 +921,7 @@ void testCreateThirdPartyUser() throws Exception {
     }
 
     @Test
-    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:add-admin-users.sql")
+    @Sql(executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD, scripts = ADD_USERS_SCRIPT)
     void testUnauthorizedCreateThirdPartyUser() throws Exception {
         PiUser thirdPartyUser = createUser(true, Roles.GENERAL_THIRD_PARTY);
         MockHttpServletRequestBuilder mockHttpServletRequestBuilder = MockMvcRequestBuilders

src/integrationTest/java/uk/gov/hmcts/reform/pip/account/management/controllers/SystemAdminB2CAccountTest.java

@@ -32,6 +32,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.ArgumentMatchers.any;
@@ -54,6 +55,7 @@ class SystemAdminB2CAccountTest {
 
     private static final String ISSUER_ID = "1234-1234-1234-1234";
     private static final String SYSTEM_ADMIN_ISSUER_ID = "87f907d2-eb28-42cc-b6e1-ae2b03f7bba2";
+    private static final String SUPER_ADMIN_ISSUER_ID = "87f907d2-eb28-42cc-b6e1-ae2b03f7bba3";
     private static final String ISSUER_HEADER = "x-issuer-id";
     private static final String GIVEN_NAME = "Given Name";
     private static final String ID = "1234";
@@ -222,7 +224,29 @@ void testUnauthorizedCreateSystemAdminAccount() throws Exception {
             MockMvcRequestBuilders
                 .post(CREATE_SYSTEM_ADMIN_URL)
                 .content(OBJECT_MAPPER.writeValueAsString(systemAdmin))
-                .header(ISSUER_HEADER, ISSUER_ID)
+                .header(ISSUER_HEADER, UUID.randomUUID().toString())
+                .contentType(MediaType.APPLICATION_JSON);
+
+        MvcResult responseCreateSystemAdminUser = mockMvc.perform(createRequest)
+            .andExpect(status().isForbidden()).andReturn();
+
+        assertEquals(FORBIDDEN.value(), responseCreateSystemAdminUser.getResponse().getStatus(),
+                     FORBIDDEN_STATUS_CODE
+        );
+    }
+
+    @Test
+    void testCreateSystemAdminUserWhenNotSystemAdmin() throws Exception {
+        SystemAdminAccount systemAdmin = new SystemAdminAccount();
+        systemAdmin.setFirstName(TEST_SYS_ADMIN_FIRSTNAME);
+        systemAdmin.setSurname(TEST_SYS_ADMIN_SURNAME);
+        systemAdmin.setEmail(TEST_SYS_ADMIN_EMAIL);
+
+        MockHttpServletRequestBuilder createRequest =
+            MockMvcRequestBuilders
+                .post(CREATE_SYSTEM_ADMIN_URL)
+                .content(OBJECT_MAPPER.writeValueAsString(systemAdmin))
+                .header(ISSUER_HEADER, SUPER_ADMIN_ISSUER_ID)
                 .contentType(MediaType.APPLICATION_JSON);
 
         MvcResult responseCreateSystemAdminUser = mockMvc.perform(createRequest)

src/integrationTest/resources/add-admin-users.sql

@@ -1,5 +1,4 @@
 INSERT INTO pi_user (user_id, email, provenance_user_id,user_provenance,roles,forenames,surname) VALUES
-('87f907d2-eb28-42cc-b6e1-ae2b03f7bba2', 'SyestemAdmin@justice.gov.uk', 'e5f1cc77-6e9a-40ab-8da0-a9666b328464','PI_AAD','SYSTEM_ADMIN','System','Admin'),
+('87f907d2-eb28-42cc-b6e1-ae2b03f7bba2', 'SystemAdmin@justice.gov.uk', 'e5f1cc77-6e9a-40ab-8da0-a9666b328464','PI_AAD','SYSTEM_ADMIN','System','Admin'),
 ('87f907d2-eb28-42cc-b6e1-ae2b03f7bba3', 'SuperAdminCtsc@justice.gov.uk', 'e5f1cc77-6e9a-40ab-8da0-a9666b328465','PI_AAD','INTERNAL_SUPER_ADMIN_CTSC','Super','Admin'),
 ('87f907d2-eb28-42cc-b6e1-ae2b03f7bba4', 'SyestemAdminSso@justice.gov.uk', 'e5f1cc77-6e9a-40ab-8da0-a9666b328466','SSO','SYSTEM_ADMIN','System','Admin');
-

src/main/java/uk/gov/hmcts/reform/pip/account/management/controllers/SystemAdminB2CAccountController.java

@@ -5,6 +5,7 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.AllArgsConstructor;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -44,6 +45,7 @@ public class SystemAdminB2CAccountController {
     @ApiResponse(responseCode = OK_CODE, description = PI_USER)
     @ApiResponse(responseCode = BAD_REQUEST_CODE, description = "{ErroredSystemAdminAccount}")
     @PostMapping("/add/system-admin")
+    @PreAuthorize("@authorisationService.userCanCreateSystemAdmin(#issuerId)")
     public ResponseEntity<? extends PiUser> createSystemAdminAccount(//NOSONAR
         @RequestHeader(ISSUER_ID) String issuerId, @RequestBody SystemAdminAccount account) {
         return ResponseEntity.ok(systemAdminB2CAccountService.addSystemAdminAccount(account, issuerId));

src/main/java/uk/gov/hmcts/reform/pip/account/management/service/AuthorisationService.java

@@ -10,6 +10,7 @@
 import uk.gov.hmcts.reform.pip.model.account.UserProvenances;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
 import static uk.gov.hmcts.reform.pip.model.LogBuilder.writeLog;
@@ -70,6 +71,18 @@ public boolean userCanUpdateAccount(UUID userId, UUID adminUserId) {
         return isAuthorised;
     }
 
+    public boolean userCanCreateSystemAdmin(UUID userId) {
+        Optional<PiUser> adminUser = userRepository.findByUserId(userId);
+        boolean isSystemAdmin = adminUser.isPresent() && adminUser.get().getRoles().equals(Roles.SYSTEM_ADMIN);
+
+        if (!isSystemAdmin) {
+            log.error(writeLog(
+                String.format("User with ID %s is forbidden to create a B2C system admin", userId)
+            ));
+        }
+        return isSystemAdmin;
+    }
+
     private boolean isAuthorisedRole(UUID userId, UUID adminUserId) {
         PiUser user = getUser(userId);
         if (UserProvenances.SSO.equals(user.getUserProvenance())) {