From a3f0c4ec155aeeeda7de6d7939596ba53620ba52 Mon Sep 17 00:00:00 2001 From: antoniotarricone Date: Tue, 12 Nov 2024 11:14:19 +0100 Subject: [PATCH 1/2] Added OpenAPI descriptor for not admin operations. --- .spectral.yaml | 3 + .../resources/META-INF/openapi_not_admin.yaml | 873 ++++++++++++++++++ 2 files changed, 876 insertions(+) create mode 100644 src/main/resources/META-INF/openapi_not_admin.yaml diff --git a/.spectral.yaml b/.spectral.yaml index 5e6a3dff..989c6d82 100644 --- a/.spectral.yaml +++ b/.spectral.yaml @@ -5,10 +5,13 @@ extends: overrides: - files: - "src/main/resources/META-INF/openapi.yaml#/paths/~1token/post/security" + - "src/main/resources/META-INF/openapi_not_admin.yaml#/paths/~1token/post/security" rules: owasp:api2:2023-write-restricted: "off" - files: - "src/main/resources/META-INF/openapi.yaml#/paths/~1.well-known~1jwks.json/get/security" - "src/main/resources/META-INF/openapi.yaml#/paths/~1.well-known~1openid-configuration/get/security" + - "src/main/resources/META-INF/openapi_not_admin.yaml#/paths/~1.well-known~1jwks.json/get/security" + - "src/main/resources/META-INF/openapi_not_admin.yaml#/paths/~1.well-known~1openid-configuration/get/security" rules: owasp:api2:2023-read-restricted: "off" \ No newline at end of file diff --git a/src/main/resources/META-INF/openapi_not_admin.yaml b/src/main/resources/META-INF/openapi_not_admin.yaml new file mode 100644 index 00000000..c4996707 --- /dev/null +++ b/src/main/resources/META-INF/openapi_not_admin.yaml @@ -0,0 +1,873 @@ +openapi: 3.0.3 +info: + title: Authorization Microservice + version: 2.13.0 + description: Authorization Microservice for Multi-channel Integration Layer of SW Client Project + contact: + name: Antonio Tarricone + email: antonio.tarricone@pagopa.it +servers: + - description: Development/Test + url: https://mil-d-apim.azure-api.net/mil-auth + x-internal: true + - description: User Acceptance Test + url: https://mil-u-apim.azure-api.net/mil-auth + x-internal: true +tags: + - name: wellknown + description: Well-known operation + - name: introspect + description: Token introspection operation + - name: token + description: Operation to get or refresh access token +paths: + /token: + post: + operationId: getAccessToken + description: Returns access token or refresh it + tags: [token] + security: [] + parameters: + - $ref: '#/components/parameters/RequestId' + - $ref: '#/components/parameters/Version' + - $ref: '#/components/parameters/AcquirerId' + - $ref: '#/components/parameters/Channel' + - $ref: '#/components/parameters/MerchantId' + - $ref: '#/components/parameters/TerminalId' + - $ref: '#/components/parameters/FiscalCode' + requestBody: + $ref: '#/components/requestBodies/GetAccessToken' + responses: + "201": + #description: Created + $ref: '#/components/responses/AccessToken' + "400": + #description: Bad request + $ref: '#/components/responses/Error' + "401": + #description: Wrong credentials + $ref: '#/components/responses/Error' + "403": + #description: Forbidden + $ref: '#/components/responses/Error' + "406": + #description: Not acceptable. Did you require application/json? + $ref: '#/components/responses/Error' + "415": + #description: Unsupported media type. Did you provide application/x-www-form-urlencoded? + $ref: '#/components/responses/Error' + "429": + #description: Too many request + $ref: '#/components/responses/Error' + "500": + #description: Server error + $ref: '#/components/responses/Error' + default: + #description: Unexpected error + $ref: '#/components/responses/Error' + /token_info: + post: + operationId: introspect + description: Introspects a given access token returning the clear value of user tax (fiscal) code (if any) + tags: [introspect] + security: + - oAuth2: [token_info] + parameters: + - $ref: '#/components/parameters/RequestId' + - $ref: '#/components/parameters/Version' + requestBody: + $ref: '#/components/requestBodies/TokenInfo' + responses: + "200": + #description: Ok + $ref: '#/components/responses/TokenInfo' + "204": + #description: No content + $ref: '#/components/responses/NoContent' + "400": + #description: Bad request + $ref: '#/components/responses/Error' + "401": + #description: Wrong credentials + $ref: '#/components/responses/Error' + "403": + #description: Forbidden + $ref: '#/components/responses/Error' + "406": + #description: Not acceptable. Did you require application/json? + $ref: '#/components/responses/Error' + "415": + #description: Unsupported media type. Did you provide application/json? + $ref: '#/components/responses/Error' + "429": + #description: Too many request + $ref: '#/components/responses/Error' + "500": + #description: Server error + $ref: '#/components/responses/Error' + default: + #description: Unexpected error + $ref: '#/components/responses/Error' + /.well-known/jwks.json: + get: + operationId: getJwks + description: Returns public keys + tags: [wellknown] + security: [] + parameters: + - $ref: '#/components/parameters/RequestId' + - $ref: '#/components/parameters/Version' + responses: + "200": + #description: Ok + $ref: '#/components/responses/Jwks' + "400": + #description: Bad request + $ref: '#/components/responses/Error' + "401": + #description: Unauthorized + $ref: '#/components/responses/Error' + "403": + #description: Forbidden + $ref: '#/components/responses/Error' + "406": + #description: Not acceptable. Did you require application/json? + $ref: '#/components/responses/Error' + "429": + #description: Too many request + $ref: '#/components/responses/Error' + "500": + #description: Server error + $ref: '#/components/responses/Error' + default: + #description: Unexpected error + $ref: '#/components/responses/Error' + /.well-known/openid-configuration: + get: + operationId: getOpenIdConf + description: Returns OpenID configuration + tags: [wellknown] + security: [] + parameters: + - $ref: '#/components/parameters/RequestId' + - $ref: '#/components/parameters/Version' + responses: + "200": + #description: Ok + $ref: '#/components/responses/OpenIdConf' + "400": + #description: Bad request + $ref: '#/components/responses/Error' + "401": + #description: Unauthorized + $ref: '#/components/responses/Error' + "403": + #description: Forbidden + $ref: '#/components/responses/Error' + "406": + #description: Not acceptable. Did you require application/json? + $ref: '#/components/responses/Error' + "429": + #description: Too many request + $ref: '#/components/responses/Error' + "500": + #description: Server error + $ref: '#/components/responses/Error' + default: + #description: Unexpected error + $ref: '#/components/responses/Error' +components: + # ======================================================== + # Schemas + # ======================================================== + schemas: + # ------------------------------------------------------ + # Basic types + # ------------------------------------------------------ + AccessControlAllowOrigin: + description: Indicates whether the response can be shared with requesting code from the given origin + type: string + pattern: "^[ -~]{1,2048}$" + minLength: 1 + maxLength: 2048 + AcquirerId: + description: Acquirer ID assigned by PagoPA + type: string + pattern: "^\\d{1,11}$" + minLength: 1 + maxLength: 11 + example: "4585625" + AdditionalData: + description: Additional data for external token authentication + type: string + pattern: "^[ -~]{1,4096}$" + minLength: 1 + maxLength: 4096 + example: "4b7eb94b-10c9-4f11-a10e-7292b29ab115" + BearerTokenType: + description: Token type for bearer token + type: string + enum: + - Bearer + example: "Bearer" + Channel: + description: Channel + enum: + - ATM + - POS + - TOTEM + - CASH_REGISTER + - CSA + type: string + example: "ATM" + ClientCredentialsGrantType: + description: Grant type to get an access token with client credentials + enum: + - client_credentials + type: string + example: "client_credentials" + ClientSecret: + description: Client secret (63 ^ 36 ≃ 6e64) + type: string + pattern: "^[0-9a-zA-Z-]{36}$" + minLength: 36 + maxLength: 36 + example: "c7a1b24b058347792ebdbaa-Az7fn37dh-q9" + ErrorCode: + description: Error code + type: string + pattern: "^[A-F0-9]{9}$" + minLength: 9 + maxLength: 9 + example: "001000005" + ErrorDescription: + description: Error description + type: string + pattern: "^[ -~]{0,256}$" + minLength: 0 + maxLength: 256 + example: "Duplicate key" + ExternalToken: + description: External token + type: string + pattern: "^[ -~]{1,4096}$" + minLength: 1 + maxLength: 4096 + example: "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJOZXhpIiwicG95bnQuZGlkIjoidXJuOnRpZDo1NTYyYjhlZC1lODljLTMzMmEtYThkYy1jYTA4MTcxMzUxMTAiLCJwb3ludC5kc3QiOiJEIiwicG95bnQub3JnIjoiMGU2Zjc4ODYtMDk1Ni00NDA1LWJjNDgtYzE5ODY4ZDdlZTIyIiwicG95bnQuc2N0IjoiVSIsImlzcyI6Imh0dHBzOlwvXC9zZXJ2aWNlcy1ldS5wb3ludC5uZXQiLCJwb3ludC51cmUiOiJPIiwicG95bnQua2lkIjozOTMyNDI1MjY4MDY5NDA5MjM0LCJwb3ludC5zY3YiOiJOZXhpIiwicG95bnQuc3RyIjoiZDNmZDNmZDMtMTg5ZC00N2M4LThjMzYtYjY4NWRkNjBkOTY0IiwiYXVkIjoidXJuOnRpZDo1NTYyYjhlZC1lODljLTMzMmEtYThkYy1jYTA4MTcxMzUxMTAiLCJwb3ludC51aWQiOjM3MzY1NzQsInBveW50LmJpeiI6IjRiN2ViOTRiLTEwYzktNGYxMS1hMTBlLTcyOTJiMjlhYjExNSIsImV4cCI6MTY4MDc4MzUzNiwiaWF0IjoxNjgwNjk3MTM2LCJqdGkiOiI3MjBmMDFlZS1iZDk4LTRjYjItOTU2Mi0xZjI4YWY2NGJhZGYifQ.dTuvtzqy9oPWIN4NIBdhIR09Xpm70dgRCP-ybuVLo24DwqaysPKNmEHDXcq2gGE1w2L6e783_PXRK3RI0j1TQRFeLRbiPzN5imBdrJ2LlV8QNdkElOl2x32j652YeFcoAitBzFss_Do0_rquU_008eeIXWa-B-AiMsdAqgLUiMigsTT42rQYr7Mb8Am_NWwvZ9-DWiox6HbuUNUo3TStBmLervqlQ5j2_3AzcOILp8cJX0699fw7Y6gcu_pNHgjswqD0UVPSAmHf_bqFAH6b98qHVKe3isMSoktYi4FfWdpG1ykviEp9Ii0QKfeLnqyIR6g2o2XzGlDv7Usv5ouiXg" + ExternalTokenGrantType: + description: Grant type to get an access token by means of external token + enum: + - poynt_token + type: string + example: "poynt_token" + FiscalCode: + description: User fiscal (tax) code + type: string + pattern: "^(([A-Z]{6}\\d{2}[A-Z]\\d{2}[A-Z]\\d{3}[A-Z])|(\\d{11}))$" + minLength: 11 + maxLength: 16 + example: "RSSMRA85T10A562S" + Issuer: + description: URL of token issuer + type: string + format: uri + pattern: "^[ -~]{1,2048}$" + minLength: 1 + maxLength: 2048 + example: "https://mil-d-apim.azure-api.net/mil-auth/" + JwksUri: + description: URL to get JKWS + type: string + format: uri + pattern: "^[ -~]{1,2048}$" + minLength: 1 + maxLength: 2048 + example: "https://mil-d-apim.azure-api.net/mil-auth/.well-known/jwks.json" + KeyId: + description: Key ID + type: string + pattern: "^[ -~]{1,512}$" + minLength: 1 + maxLength: 512 + example: "0ffa8f8d-d92b-46ee-a4e7-8f26651a2a96" + KeyType: + description: Key type + enum: + - RSA + type: string + example: "RSA" + MerchantId: + description: Merchant ID. Mandatory when Channel equals POS. + type: string + pattern: "^[0-9a-zA-Z]{1,15}$" + minLength: 1 + maxLength: 15 + example: "28405fHfk73x88D" + Modulus: + description: Modulus + type: string + pattern: ^[A-Za-z0-9_-]{172,683}$ # Base64/RFC4648 URL safe w/o padding + minLength: 172 # 128 bytes * 4 / 3 + maxLength: 683 # 512 bytes * 4 / 3 + example: "qjcVEWJTTySeKxHsJSsmVGk2cEvXJ4tBC4uyU5MxYwBAiIWuZb_yDOIjLz7JN8QsJs3QrZtS3vqv18ljW2db6ED90OUo9CVJveSF4eNRozDHOvnHGT0HR-8Wf5GxcNy63zfQLrnfdp5F9TrhMFRMkEA0TCT7PhT3yF6YvwLtQyMciER1_KKnpGomfAkW-UpaF2nHfXiFPrOIHMuNb5BoRR1f0349tqloLgLd7vyMy1jg-BldmEgRV1bcFqjH0Cg3leROjDy9HzdFauRIlSb4VZrqNni2hgaTUHI5Xp7aCwpS9Y_mf19KpxN0_8d-f3UVRlwtI1dryelpdC5jowxia2Pf8UgSZyMs2ZxDf6eU0SH8wHEvMpeFpwmiBD1XcsISoTan0Yv7w_CLo6JOqX6EfogDQZUBzKKlVCZSoSinAz0_7Bj2orgWKQ9sbfgJWgJweKkJLH-bNSRaVcu02boxPnlJeay3wROhSAgtiKWZnsU1_FpPNG0JBFCh_x-VjkuBoREpNEyJM5NvhRCmyObtzocS4eCtAgvmo3EFv_Xa-rp0p5ez4A-_QUb5OsYOswqYbIV1GbtiAfCTOrNbv6K86LaTllZ9WqYrKgDv7KA-604K37k33LHROqcO9Q-bCN8hKzQDWs7M3DFNP6P5iBUUVs-gtWncHvIuUWTth-fBXa8" + OfflineAccessScope: + description: Scope for offline_access + enum: + - offline_access + type: string + example: "offline_access" + Password: + description: User password + type: string + pattern: "^[ -~]{1,64}$" + minLength: 1 + maxLength: 64 + example: "Password-001$" + PasswordGrantType: + description: Grant type to get an access token with resource owner password + enum: + - password + type: string + example: "password" + PositiveInteger: + description: Non negative integer + type: integer + format: int32 + minimum: 1 + maximum: 2147483647 + example: 234 + PublicExponent: + description: Public key exponent + type: string + pattern: ^[A-Za-z0-9_-]{2,683}$ # Base64/RFC4648 URL safe w/o padding + minLength: 2 # 1 byte * 4 / 3 = 2 + maxLength: 683 # 512 bytes * 4 / 3 = 683 + example: "AQAB" + PublicKeyUse: + description: Public key use + enum: + - sig + - enc + type: string + example: "sig" + RefreshGrantType: + description: Grant type to refresh an access token + enum: + - refresh_token + type: string + example: "refresh_token" + RateLimitLimit: + description: The number of allowed requests in the current period + type: integer + format: int32 + minimum: 1 + maximum: 240 + RateLimitReset: + description: The number of seconds left in the current period + type: integer + format: int32 + minimum: 1 + maximum: 60 + RetryAfter: + description: The number of seconds to wait before allowing a follow-up request + type: integer + format: int32 + minimum: 1 + maximum: 240 + TerminalId: + description: ID of the terminal originating the transaction. It must be unique per acquirer and channel. + type: string + pattern: "^[0-9a-zA-Z]{1,8}$" + minLength: 1 + maxLength: 8 + example: "0aB9wXyZ" + Token: + description: Token + type: string + pattern: "^[a-zA-Z0-9_-]{1,1024}\\.[a-zA-Z0-9_-]{1,1024}\\.[a-zA-Z0-9_-]{1,1024}$" + minLength: 5 + maxLength: 3074 + example: "eyJraWQiOiI2OWQzZDEwZi03MGRhLTQ5ODItYjI4ZC03MmU4MTQ4MzI4YTMiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21pbC1kLWFwaW0uYXp1cmUtYXBpLm5ldC9taWwtaWRwIiwiYXVkIjpbImh0dHBzOi8vbWlsLWQtYXBpbS5henVyZS1hcGkubmV0L21pbC1wYXltZW50LW5vdGljZSIsImh0dHBzOi8vbWlsLWQtYXBpbS5henVyZS1hcGkubmV0L21pbC1mZWUtY2FsY3VsYXRvciJdLCJleHAiOjE2Nzg3ODkyOTUsInNjb3BlIjoidmVyaWZ5QnlRckNvZGUgYWN0aXZhdGVCeVFyQ29kZSB2ZXJpZnlCeVRheENvZGVBbmROb3RpY2VOdW1iZXIgYWN0aXZhdGVCeVRheENvZGVBbmROb3RpY2VOdW1iZXIgY2xvc2UgZ2V0UGF5bWVudFN0YXR1cyBnZXRGZWUifQ.UJ8Vwv0NwF5S3fajgsdpgV-t6VeZAVC9dR0QGVpevC6Rw35tTx_1pJq2kI0GVAp0Vm7mNmgpZgzqx14QJfBmtTz3ZMJuUYVJUfHHQxxRxEyVBslrloOCqc8LfFkC-jmVQG5_9p9f6Tb7MB-h9J_f9ivtFX9gz7jK2Q_llD3HU0FujMgHEJiloKl7sp2uDaMIiy9dOKT7m0M6sA1tA84kwuJASudd_KWotideFsiA8LMBy_fGlEO7ogF-WytXD0XfW6VIBwQKq5KB3L3HxUuOZE1Gr2hubZ9SCeGAptiaPCWeEDf4w4x3IvKUL-rmm4bs4xalCmUbWcnTkKJi5f4N_8d2aRBrCL7k01rEK-OI1NH1-cCCk97eanNxvFEAKk_9t8rggipYt9BuL929p11LHVeYqqfemz1yrzc58LJXWPNgSMZ8XjKoITzsEiKWtGMYNV6GodJs_USnMKGIlc_uynZS0Q9mUV5IWhFaOZWFkM1nNwebMq9edg-kxtj1WpNkXfP1lahOMt36a9Rn2rWBLAhMBnerigsxFmUpi90EmbDkgOKTEXd3adOWLBb0jQSw0gPlNHe4bHh_LxBNNWljd6P9yZ4CYvZsWFwt_85d-PS56y-mNWV5oFMgPd-_qeF3Fn-QMj3Q5qySoqNCLzX7pnqjzXrveazLcR-CrroIUGM" + TokenEndpoint: + description: URL to get tokens + type: string + format: uri + pattern: "^[ -~]{1,2048}$" + minLength: 1 + maxLength: 2048 + example: "https://mil-d-apim.azure-api.net/mil-auth/token" + Username: + description: User name + type: string + pattern: "^[ -~]{1,64}$" + minLength: 1 + maxLength: 64 + example: "Merchant-001" + UUID: + description: UUID + type: string + format: uuid + pattern: "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$" + minLength: 36 + maxLength: 36 + example: "d0d654e6-97da-4848-b568-99fedccb642b" + # ------------------------------------------------------ + # Complex types + # ------------------------------------------------------ + AccessToken: + description: Data returned when a new access token is requested + type: object + additionalProperties: false + properties: + access_token: + $ref: '#/components/schemas/Token' + refresh_token: + $ref: '#/components/schemas/Token' + token_type: + $ref: '#/components/schemas/BearerTokenType' + expires_in: + $ref: '#/components/schemas/PositiveInteger' + required: + - access_token + - token_type + - expires_in + example: + access_token: "eyJraWQiOiI2OWQzZDEwZi03MGRhLTQ5ODItYjI4ZC03MmU4MTQ4MzI4YTMiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21pbC1kLWFwaW0uYXp1cmUtYXBpLm5ldC9taWwtaWRwIiwiYXVkIjpbImh0dHBzOi8vbWlsLWQtYXBpbS5henVyZS1hcGkubmV0L21pbC1wYXltZW50LW5vdGljZSIsImh0dHBzOi8vbWlsLWQtYXBpbS5henVyZS1hcGkubmV0L21pbC1mZWUtY2FsY3VsYXRvciJdLCJleHAiOjE2Nzg3ODkyOTUsInNjb3BlIjoidmVyaWZ5QnlRckNvZGUgYWN0aXZhdGVCeVFyQ29kZSB2ZXJpZnlCeVRheENvZGVBbmROb3RpY2VOdW1iZXIgYWN0aXZhdGVCeVRheENvZGVBbmROb3RpY2VOdW1iZXIgY2xvc2UgZ2V0UGF5bWVudFN0YXR1cyBnZXRGZWUifQ.UJ8Vwv0NwF5S3fajgsdpgV-t6VeZAVC9dR0QGVpevC6Rw35tTx_1pJq2kI0GVAp0Vm7mNmgpZgzqx14QJfBmtTz3ZMJuUYVJUfHHQxxRxEyVBslrloOCqc8LfFkC-jmVQG5_9p9f6Tb7MB-h9J_f9ivtFX9gz7jK2Q_llD3HU0FujMgHEJiloKl7sp2uDaMIiy9dOKT7m0M6sA1tA84kwuJASudd_KWotideFsiA8LMBy_fGlEO7ogF-WytXD0XfW6VIBwQKq5KB3L3HxUuOZE1Gr2hubZ9SCeGAptiaPCWeEDf4w4x3IvKUL-rmm4bs4xalCmUbWcnTkKJi5f4N_8d2aRBrCL7k01rEK-OI1NH1-cCCk97eanNxvFEAKk_9t8rggipYt9BuL929p11LHVeYqqfemz1yrzc58LJXWPNgSMZ8XjKoITzsEiKWtGMYNV6GodJs_USnMKGIlc_uynZS0Q9mUV5IWhFaOZWFkM1nNwebMq9edg-kxtj1WpNkXfP1lahOMt36a9Rn2rWBLAhMBnerigsxFmUpi90EmbDkgOKTEXd3adOWLBb0jQSw0gPlNHe4bHh_LxBNNWljd6P9yZ4CYvZsWFwt_85d-PS56y-mNWV5oFMgPd-_qeF3Fn-QMj3Q5qySoqNCLzX7pnqjzXrveazLcR-CrroIUGM" + refresh_token: "eyJraWQiOiIxN2YwNWViZC1hMWMzLTRjNWMtODM4Ny1jOWZlNjU4MDRiMDEiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21pbC1kLWFwaW0uYXp1cmUtYXBpLm5ldC9taWwtaWRwIiwiYXVkIjoiaHR0cHM6Ly9taWwtZC1hcGltLmF6dXJlLWFwaS5uZXQvbWlsLWlkcCIsImV4cCI6MTY3ODg4MTA1NSwic2NvcGUiOiJvZmZsaW5lX2FjY2VzcyJ9.Bu-BXKRMoE8fdBfuoPAa70WQYUWVH3BK3VFMw-9mr7hGlKBSONXQY8vcrFuh4OLm6vHX2hUagYuJ3yS_Anm5AHU8Kpay0dGm30fyPxFAyv5s_Yn_ET3VExPZBedBSlHl0Rzt0JQ_9X07X0JkCwWacxWMueKNoVndAh3QxswbkwtEANAKvQcvAtdLjh-93eDYFq0vvS8qNRReTZf46fldIL9H5-0MMqjfVi5A6y8YCzx7_kOHKq8wCy7u75QtKhPRzYnY0JcBVMALZgQovpCYpnlPkP3JV3cgdmlDGWmGHbKQz9iQ5bY1071e3vhxqR2iEqFJwn7nohYq9sxkMQGxNxz2BI-w3v_SQ3zS3mI1qK_qm1c7yzyF3c_lB920T5hBup9RozIXVb2OkX38pW6JKORETgSLlhnqLc8Rr1_HaQ2qN_JYcn7Urv_0mSJh-i8zS39F1glY3ejHHiVbl8cSJsPPw-ehpKAozf6h0_JiZBe0TuBtyTNULQH1iri19C9z_XBgBnfC1DtrnQn-UIgGbJq1TnIgtVmtTnReJqDpcf6_MGDLqCL-x192UQszb8GgWjD8tRusJ9X5HG1RHUAVyQ5gfOCegHmymyB7Dx7e5fCOghDUTT0t2dvVKbIXZGilrddKBg70iBGDA5j5-01lvnl2aaxBv51Y_zr-3IZdAyA" + token_type: "Bearer" + expires_in: 36000 + Errors: + description: List of errors + type: object + additionalProperties: false + properties: + errors: + type: array + maxItems: 32 + items: + $ref: '#/components/schemas/ErrorCode' + descriptions: + type: array + maxItems: 32 + items: + $ref: '#/components/schemas/ErrorDescription' + required: + - errors + example: + errors: + - "00000000A" + - "001000001" + descriptions: + - "[00000000A] Duplicate client id" + - "[001000001] Invalid location" + GetAccessTokenByClientCredentials: + description: Request to get an access token by means of client credentials + type: object + additionalProperties: false + properties: + grant_type: + $ref: '#/components/schemas/ClientCredentialsGrantType' + client_id: + $ref: '#/components/schemas/UUID' + client_secret: + $ref: '#/components/schemas/ClientSecret' + required: + - grant_type + - client_id + - client_secret + example: + grant_type: "client_credentials" + client_id: "d0d654e6-97da-4848-b568-99fedccb642b" + client_secret: "265a5ac0-c651-428e-bed6-763f6cd244b5" + GetAccessTokenByExternalToken: + description: Request to get an access token by means of external token + type: object + additionalProperties: false + properties: + grant_type: + $ref: '#/components/schemas/ExternalTokenGrantType' + ext_token: + $ref: '#/components/schemas/ExternalToken' + add_data: + $ref: '#/components/schemas/AdditionalData' + scope: + $ref: '#/components/schemas/OfflineAccessScope' + client_id: + $ref: '#/components/schemas/UUID' + required: + - grant_type + - ext_token + - add_data + - client_id + example: + grant_type: "poynt_token" + ext_token: "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJOZXhpIiwicG95bnQuZGlkIjoidXJuOnRpZDo1NTYyYjhlZC1lODljLTMzMmEtYThkYy1jYTA4MTcxMzUxMTAiLCJwb3ludC5kc3QiOiJEIiwicG95bnQub3JnIjoiMGU2Zjc4ODYtMDk1Ni00NDA1LWJjNDgtYzE5ODY4ZDdlZTIyIiwicG95bnQuc2N0IjoiVSIsImlzcyI6Imh0dHBzOlwvXC9zZXJ2aWNlcy1ldS5wb3ludC5uZXQiLCJwb3ludC51cmUiOiJPIiwicG95bnQua2lkIjozOTMyNDI1MjY4MDY5NDA5MjM0LCJwb3ludC5zY3YiOiJOZXhpIiwicG95bnQuc3RyIjoiZDNmZDNmZDMtMTg5ZC00N2M4LThjMzYtYjY4NWRkNjBkOTY0IiwiYXVkIjoidXJuOnRpZDo1NTYyYjhlZC1lODljLTMzMmEtYThkYy1jYTA4MTcxMzUxMTAiLCJwb3ludC51aWQiOjM3MzY1NzQsInBveW50LmJpeiI6IjRiN2ViOTRiLTEwYzktNGYxMS1hMTBlLTcyOTJiMjlhYjExNSIsImV4cCI6MTY4MDc4MzUzNiwiaWF0IjoxNjgwNjk3MTM2LCJqdGkiOiI3MjBmMDFlZS1iZDk4LTRjYjItOTU2Mi0xZjI4YWY2NGJhZGYifQ.dTuvtzqy9oPWIN4NIBdhIR09Xpm70dgRCP-ybuVLo24DwqaysPKNmEHDXcq2gGE1w2L6e783_PXRK3RI0j1TQRFeLRbiPzN5imBdrJ2LlV8QNdkElOl2x32j652YeFcoAitBzFss_Do0_rquU_008eeIXWa-B-AiMsdAqgLUiMigsTT42rQYr7Mb8Am_NWwvZ9-DWiox6HbuUNUo3TStBmLervqlQ5j2_3AzcOILp8cJX0699fw7Y6gcu_pNHgjswqD0UVPSAmHf_bqFAH6b98qHVKe3isMSoktYi4FfWdpG1ykviEp9Ii0QKfeLnqyIR6g2o2XzGlDv7Usv5ouiXg" + add_data: "4b7eb94b-10c9-4f11-a10e-7292b29ab115" + scope: "offline_access" + client_id: "d0d654e6-97da-4848-b568-99fedccb642b" + GetAccessTokenByPassword: + description: Request to get an access token by means of resource owner password + type: object + additionalProperties: false + properties: + grant_type: + $ref: '#/components/schemas/PasswordGrantType' + username: + $ref: '#/components/schemas/Username' + password: + $ref: '#/components/schemas/Password' + scope: + $ref: '#/components/schemas/OfflineAccessScope' + client_id: + $ref: '#/components/schemas/UUID' + required: + - grant_type + - username + - password + - client_id + example: + grant_type: "password" + username: "Merchant-001" + password: "Password-001$" + scope: "offline_access" + client_id: "d0d654e6-97da-4848-b568-99fedccb642b" + OpenIdConf: + description: OpenID configuration + type: object + additionalProperties: false + properties: + issuer: + $ref: '#/components/schemas/Issuer' + token_endpoint: + $ref: '#/components/schemas/TokenEndpoint' + jwks_uri: + $ref: '#/components/schemas/JwksUri' + PublicKey: + description: Public key + type: object + additionalProperties: false + properties: + kty: + $ref: '#/components/schemas/KeyType' + e: + $ref: '#/components/schemas/PublicExponent' + use: + $ref: '#/components/schemas/PublicKeyUse' + kid: + $ref: '#/components/schemas/KeyId' + exp: + $ref: '#/components/schemas/PositiveInteger' + iat: + $ref: '#/components/schemas/PositiveInteger' + n: + $ref: '#/components/schemas/Modulus' + required: + - kty + - e + - use + - kid + - exp + - iat + - n + example: + kty: "RSA" + e: "AQAB" + use: "sig" + kid: "0ffa8f8d-d92b-46ee-a4e7-8f26651a2a96" + exp: 1678975089 + iat: 1678888689 + n: "qjcVEWJTTySeKxHsJSsmVGk2cEvXJ4tBC4uyU5MxYwBAiIWuZb_yDOIjLz7JN8QsJs3QrZtS3vqv18ljW2db6ED90OUo9CVJveSF4eNRozDHOvnHGT0HR-8Wf5GxcNy63zfQLrnfdp5F9TrhMFRMkEA0TCT7PhT3yF6YvwLtQyMciER1_KKnpGomfAkW-UpaF2nHfXiFPrOIHMuNb5BoRR1f0349tqloLgLd7vyMy1jg-BldmEgRV1bcFqjH0Cg3leROjDy9HzdFauRIlSb4VZrqNni2hgaTUHI5Xp7aCwpS9Y_mf19KpxN0_8d-f3UVRlwtI1dryelpdC5jowxia2Pf8UgSZyMs2ZxDf6eU0SH8wHEvMpeFpwmiBD1XcsISoTan0Yv7w_CLo6JOqX6EfogDQZUBzKKlVCZSoSinAz0_7Bj2orgWKQ9sbfgJWgJweKkJLH-bNSRaVcu02boxPnlJeay3wROhSAgtiKWZnsU1_FpPNG0JBFCh_x-VjkuBoREpNEyJM5NvhRCmyObtzocS4eCtAgvmo3EFv_Xa-rp0p5ez4A-_QUb5OsYOswqYbIV1GbtiAfCTOrNbv6K86LaTllZ9WqYrKgDv7KA-604K37k33LHROqcO9Q-bCN8hKzQDWs7M3DFNP6P5iBUUVs-gtWncHvIuUWTth-fBXa8" + PublicKeys: + description: Public keys + type: object + additionalProperties: false + properties: + keys: + type: array + maxItems: 32 + items: + $ref: '#/components/schemas/PublicKey' + required: + - keys + example: + keys: + - kty: "RSA" + e: "AQAB" + use: "sig" + kid: "0ffa8f8d-d92b-46ee-a4e7-8f26651a2a96" + exp: 1678975089 + iat: 1678888689 + n: "qjcVEWJTTySeKxHsJSsmVGk2cEvXJ4tBC4uyU5MxYwBAiIWuZb_yDOIjLz7JN8QsJs3QrZtS3vqv18ljW2db6ED90OUo9CVJveSF4eNRozDHOvnHGT0HR-8Wf5GxcNy63zfQLrnfdp5F9TrhMFRMkEA0TCT7PhT3yF6YvwLtQyMciER1_KKnpGomfAkW-UpaF2nHfXiFPrOIHMuNb5BoRR1f0349tqloLgLd7vyMy1jg-BldmEgRV1bcFqjH0Cg3leROjDy9HzdFauRIlSb4VZrqNni2hgaTUHI5Xp7aCwpS9Y_mf19KpxN0_8d-f3UVRlwtI1dryelpdC5jowxia2Pf8UgSZyMs2ZxDf6eU0SH8wHEvMpeFpwmiBD1XcsISoTan0Yv7w_CLo6JOqX6EfogDQZUBzKKlVCZSoSinAz0_7Bj2orgWKQ9sbfgJWgJweKkJLH-bNSRaVcu02boxPnlJeay3wROhSAgtiKWZnsU1_FpPNG0JBFCh_x-VjkuBoREpNEyJM5NvhRCmyObtzocS4eCtAgvmo3EFv_Xa-rp0p5ez4A-_QUb5OsYOswqYbIV1GbtiAfCTOrNbv6K86LaTllZ9WqYrKgDv7KA-604K37k33LHROqcO9Q-bCN8hKzQDWs7M3DFNP6P5iBUUVs-gtWncHvIuUWTth-fBXa8" + RefreshAccessToken: + description: Request to get an access token by means of a refresh token + type: object + #additionalProperties: true + properties: + grant_type: + $ref: '#/components/schemas/RefreshGrantType' + client_id: + $ref: '#/components/schemas/UUID' + refresh_token: + $ref: '#/components/schemas/Token' + required: + - grant_type + - client_id + - refresh_token + example: + grant_type: "refresh_token" + client_id: "d0d654e6-97da-4848-b568-99fedccb642b" + refresh_token: "eyJraWQiOiIxN2YwNWViZC1hMWMzLTRjNWMtODM4Ny1jOWZlNjU4MDRiMDEiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21pbC1kLWFwaW0uYXp1cmUtYXBpLm5ldC9taWwtaWRwIiwiYXVkIjoiaHR0cHM6Ly9taWwtZC1hcGltLmF6dXJlLWFwaS5uZXQvbWlsLWlkcCIsImV4cCI6MTY3ODg4MTA1NSwic2NvcGUiOiJvZmZsaW5lX2FjY2VzcyJ9.Bu-BXKRMoE8fdBfuoPAa70WQYUWVH3BK3VFMw-9mr7hGlKBSONXQY8vcrFuh4OLm6vHX2hUagYuJ3yS_Anm5AHU8Kpay0dGm30fyPxFAyv5s_Yn_ET3VExPZBedBSlHl0Rzt0JQ_9X07X0JkCwWacxWMueKNoVndAh3QxswbkwtEANAKvQcvAtdLjh-93eDYFq0vvS8qNRReTZf46fldIL9H5-0MMqjfVi5A6y8YCzx7_kOHKq8wCy7u75QtKhPRzYnY0JcBVMALZgQovpCYpnlPkP3JV3cgdmlDGWmGHbKQz9iQ5bY1071e3vhxqR2iEqFJwn7nohYq9sxkMQGxNxz2BI-w3v_SQ3zS3mI1qK_qm1c7yzyF3c_lB920T5hBup9RozIXVb2OkX38pW6JKORETgSLlhnqLc8Rr1_HaQ2qN_JYcn7Urv_0mSJh-i8zS39F1glY3ejHHiVbl8cSJsPPw-ehpKAozf6h0_JiZBe0TuBtyTNULQH1iri19C9z_XBgBnfC1DtrnQn-UIgGbJq1TnIgtVmtTnReJqDpcf6_MGDLqCL-x192UQszb8GgWjD8tRusJ9X5HG1RHUAVyQ5gfOCegHmymyB7Dx7e5fCOghDUTT0t2dvVKbIXZGilrddKBg70iBGDA5j5-01lvnl2aaxBv51Y_zr-3IZdAyA" + TokenInfoRequest: + description: Request to introspect an access token + type: object + additionalProperties: false + properties: + token: + $ref: '#/components/schemas/Token' + required: + - token + example: + token: "eyJraWQiOiJhdXRoYjk0MGJmNjZhZGY3NDgxYTk3MWI0ZTI2OTNhZDljMWIvYTdmNDdmNDA5ZDc1NDc4YWJiNjY1NGEzNmQxY2Y0NjkiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1MjU0ZjA4Ny0xMjE0LTQ1Y2QtOTRhZS1mZGE1M2M4MzUxOTciLCJhdWQiOiJtaWwucGFnb3BhLml0IiwiY2xpZW50SWQiOiI1MjU0ZjA4Ny0xMjE0LTQ1Y2QtOTRhZS1mZGE1M2M4MzUxOTciLCJtZXJjaGFudElkIjoiMjg0MDVmSGZrNzN4ODhEIiwiY2hhbm5lbCI6IlBPUyIsImlzcyI6Imh0dHBzOi8vbWlsLXUtYXBpbS5henVyZS1hcGkubmV0L21pbC1hdXRoIiwiZ3JvdXBzIjpbIk5vdGljZVBheWVyIiwiU2xhdmVQb3MiLCJQYXlXaXRoSURQYXkiXSwidGVybWluYWxJZCI6IjAxMjM0NTY3IiwiZXhwIjoxNzEwNzYwMDc0LCJhY3F1aXJlcklkIjoiNDU4NTYyNSIsImlhdCI6MTcxMDc1OTE3NH0.DwdwI-kYMf9OWY5PjBUw9zrSZGXGaqWlj1FwygAKv_AMvZ41_Uu8fnL7LOpYTYS0qNouxOVsRmpOnjfvt1zfx8t8MZP07O7KpO4cJpBfqm2kXI5_A2gimFrF4m_4LM-exNM0fW5gaGC8TVfMm0dkrJh0tFnZ3j-xw9bGi1ZqubIth0H7M8JkvzZ1o6CMOyfEVTYbiJb9lhsP6qrmduhhv9uRAo7SyIVFVudjsNyrw-MFDwQhpGdhrKa_2q6ZpkjzRcK1t_NynFI1IFbWuy5wYS1DllA9uJxU9Rc1zPHQk1UR_Cfrek3D7rfg9tJY0XqDerG8gUMg7wlizMZSkmWfhNKz5yH9seV4_ktVU2rBVsN-OIwMfOiD3kwjIxw4NcX5Uza9cMCQPSZqbDCG4jeFQjJ1WxBkKAfFJLc_Vb59CS2UttwCJA8A9OsCJ2kQQ9fg_Ez1tzNdsCsMXQo7XAFPKGTe0MpL2UPiErPATEjdfdzHnwyZsx-DubAEwKUREHjAevAQb6i6b6aI_3Ti51ArLor1jW_1EHwt2fRyhbDdTyvKSI7trqtx8DkNgd42dOBYrIqYUs2xfaFdKLGDmH5dFX7n8l--xqaNDU983Z1neNX-lsRWe-22eT0ykfRW_GI84v_uRA2My5RL2mmJ9vjRQ3LTlaOairNYkYplyXcydSQ" + TokenInfoResponse: + description: Response to the request to introspect an access token + type: object + additionalProperties: false + properties: + fiscalCode: + $ref: '#/components/schemas/FiscalCode' + required: + - fiscalCode + example: + fiscalCode: "RSSMRA85T10A562S" + # ======================================================== + # Request bodies + # ======================================================== + requestBodies: + GetAccessToken: + description: Request to get an access token by means of username and password or by refresh token or by external token + content: + application/x-www-form-urlencoded: + schema: + oneOf: + - $ref: '#/components/schemas/GetAccessTokenByPassword' + - $ref: '#/components/schemas/RefreshAccessToken' + - $ref: '#/components/schemas/GetAccessTokenByExternalToken' + - $ref: '#/components/schemas/GetAccessTokenByClientCredentials' + TokenInfo: + description: Request to introspect an access token + content: + application/json: + schema: + $ref: '#/components/schemas/TokenInfoRequest' + # ======================================================== + # Parameters + # ======================================================== + parameters: + AcquirerId: + name: AcquirerId + in: header + description: Acquirer ID assigned by PagoPA + required: false + schema: + $ref: '#/components/schemas/AcquirerId' + Channel: + name: Channel + in: header + description: Channel + required: false + schema: + $ref: '#/components/schemas/Channel' + FiscalCode: + name: FiscalCode + in: header + description: User fiscal (tax) code + required: false + schema: + $ref: '#/components/schemas/FiscalCode' + MerchantId: + name: MerchantId + description: Merchant ID. Mandatory when Channel equals POS. + in: header + required: false + schema: + $ref: '#/components/schemas/MerchantId' + RequestId: + name: RequestId + in: header + description: Request Id that will be logged by services + required: false + schema: + $ref: '#/components/schemas/UUID' + TerminalId: + name: TerminalId + in: header + description: ID of the terminal originating the transaction. It must be unique per acquirer and channel. + required: false + schema: + $ref: '#/components/schemas/TerminalId' + Version: + name: Version + in: header + description: Version of the required API + required: false + schema: + type: string + pattern: "^[ -~]{1,64}$" + minLength: 1 + maxLength: 64 + example: "1.0.0-alpha-a.b-c-somethinglong+build.1-aef.1-its-okay" + # ======================================================== + # Responses + # ======================================================== + responses: + AccessToken: + description: Response returned when an access token is requested + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + content: + application/json: + schema: + $ref: '#/components/schemas/AccessToken' + Error: + description: Error response + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + Retry-After: + description: The number of seconds to wait before allowing a follow-up request + required: false + schema: + $ref: '#/components/schemas/RetryAfter' + content: + application/json: + schema: + $ref: '#/components/schemas/Errors' + text/*: + schema: + type: string + pattern: "^[ -~]{0,65535}$" + maxLength: 65535 + Jwks: + description: Public keys + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + content: + application/json: + schema: + $ref: '#/components/schemas/PublicKeys' + NoContent: + description: No content response + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + OpenIdConf: + description: OpenID configuration + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + content: + application/json: + schema: + $ref: '#/components/schemas/OpenIdConf' + TokenInfo: + description: Response to the request to introspect an access token + headers: + Access-Control-Allow-Origin: + description: Indicates whether the response can be shared with requesting code from the given origin + required: false + schema: + $ref: '#/components/schemas/AccessControlAllowOrigin' + RateLimit-Limit: + description: The number of allowed requests in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitLimit' + RateLimit-Reset: + description: The number of seconds left in the current period + required: false + schema: + $ref: '#/components/schemas/RateLimitReset' + content: + application/json: + schema: + $ref: '#/components/schemas/TokenInfoResponse' + # ---------------------------------------------------------------------------------- + # Security schemes + # ---------------------------------------------------------------------------------- + securitySchemes: + oAuth2: + description: A bearer token in the format of a JWS and conforms to the specifications included in RFC8725 + type: oauth2 + flows: + clientCredentials: + tokenUrl: /token + refreshUrl: /token + scopes: + token_info: introspect access token From 7c409ad4dccd648375b38d1a5caa901e77a63897 Mon Sep 17 00:00:00 2001 From: antoniotarricone Date: Tue, 12 Nov 2024 11:48:35 +0100 Subject: [PATCH 2/2] Mil actions updated. --- .github/workflows/build-n-push-main.yml | 2 +- .github/workflows/post-merge.yml | 2 +- .github/workflows/pr-validation.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml index 7b9bdd8b..71ece425 100644 --- a/.github/workflows/build-n-push-main.yml +++ b/.github/workflows/build-n-push-main.yml @@ -29,7 +29,7 @@ jobs: # Setup Java Build Environment. # - name: Setup Java Build Environment - uses: pagopa/mil-actions/setup-java-build-env@241c6c17f483229fdd4ac26c6d79d1d65be2659c # 1.1.1 + uses: pagopa/mil-actions/setup-java-build-env@f782a1b3cdb79afda2c10007ae46b831b31fe640 # 1.1.2 with: gh_user: ${{ secrets.GIT_USER }} gh_token: ${{ secrets.GIT_PAT }} diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml index 01048533..0a4270c9 100644 --- a/.github/workflows/post-merge.yml +++ b/.github/workflows/post-merge.yml @@ -63,7 +63,7 @@ jobs: # Setup Java Build Environment. # - name: Setup Java Build Environment - uses: pagopa/mil-actions/setup-java-build-env@241c6c17f483229fdd4ac26c6d79d1d65be2659c # 1.1.1 + uses: pagopa/mil-actions/setup-java-build-env@f782a1b3cdb79afda2c10007ae46b831b31fe640 # 1.1.2 with: gh_user: ${{ secrets.GIT_USER }} gh_token: ${{ secrets.GIT_PAT }} diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index aa7d8ae4..c8d8317a 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - name: PR validation - uses: pagopa/mil-actions/pr-validation@6dba0fb019f2714767a0b7954fb12ebd7ec0aa3e # 1.0.0 + uses: pagopa/mil-actions/pr-validation@63477e234c35c65476a37982635cd524aa71193c # 1.1.3 with: gh_user: ${{ secrets.GIT_USER }} gh_token: ${{ secrets.GIT_PAT }}