CIRC-2364 Anonymize Single Request Post API

descriptors/ModuleDescriptor-template.json

@@ -76,6 +76,24 @@
         }
       ]
     },
+    {
+      "id": "request-anonymization",
+      "version": "0.1",
+      "handlers": [
+        {
+          "methods": [
+            "POST"
+          ],
+          "pathPattern": "/request-anonymization/{requestId}",
+          "permissionsRequired": [
+            "circulation.requests.anonymize.item.post"
+          ],
+          "modulePermissions": [
+            "modperms.circulation.requests.anonymize.item"
+          ]
+        }
+      ]
+    },
     {
       "id": "request-move",
       "version": "0.7",
@@ -1509,6 +1527,11 @@
       "displayName": "circulation - anonymize loans",
       "description": "anonymize loans"
     },
+    {
+      "permissionName": "circulation.requests.anonymize.item.post",
+      "displayName": "circulation - anonymize request",
+      "description": "anonymize request"
+    },
     {
       "permissionName": "circulation.loans.item.delete",
       "displayName": "circulation - delete individual loan",
@@ -2305,6 +2328,21 @@
       ],
       "visible": false
     },
+    {
+      "permissionName": "modperms.circulation.requests.anonymize.item",
+      "displayName": "module permissions for single request anonymization",
+      "description": "Permissions needed to anonymize a single closed request",
+      "subPermissions": [
+        "circulation.request-anonymization.item.post",
+        "circulation-storage.requests.item.get",
+        "inventory-storage.items.item.get",
+        "inventory-storage.holdings-records.item.get",
+        "inventory-storage.instances.item.get",
+        "service-points.item.get",
+        "pubsub.publish.post"
+      ],
+      "visible": false
+    },
     {
       "permissionName": "modperms.circulation.requests.collection.get",
       "displayName": "module permissions for one op",

ramls/request-anonymization.raml

@@ -0,0 +1,66 @@
+#%RAML 1.0
+title: Circulation
+version: v0.1
+protocols: [ HTTP, HTTPS ]
+baseUri: http://localhost:9130
+
+documentation:
+  - title: Request Anonymization API
+    content: <b>Request Anonymization API</b>
+
+types:
+  anonymize-request-response: !include schema/anonymize-single-request-response.json
+  errors: !include raml-util/schemas/errors.schema
+
+traits:
+  validate: !include raml-util/traits/validation.raml
+
+/request-anonymization:
+  /{requestId}:
+    uriParameters:
+      requestId:
+        type: string
+        description: Request UUID to anonymize
+        example: 9fd9b9d8-1b1a-4a7a-9f54-5e7c5f5e0b2e
+        pattern: '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
+    post:
+      is: [ validate ]
+      description: Anonymize a single closed request by its requestId.
+      responses:
+        200:
+          description: The request has been successfully anonymized.
+          body:
+            application/json:
+              type: anonymize-request-response
+              example:
+                requestId: 9fd9b9d8-1b1a-4a7a-9f54-5e7c5f5e0b2e
+                anonymized: true
+
+        404:
+          description: Request with the given requestId was not found.
+          body:
+            application/json:
+              type: errors
+              example:
+                errors:
+                  - message: Request not found
+
+        422:
+          description: Validation error — request is not closed or another rule prevents anonymization.
+          body:
+            application/json:
+              type: errors
+              example:
+                errors:
+                  - message: requestNotClosed
+
+        500:
+          description: Internal server error.
+          body:
+            application/json:
+              type: errors
+              example:
+                errors:
+                  - message: Internal server error
+
+

ramls/schema/anonymize-single-request-response.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "description": "Single Request Anonymization Response",
+  "type": "object",
+  "properties": {
+    "requestId": {
+      "type": "string",
+      "format": "UUID",
+      "description": "UUID of the request that was processed."
+    },
+    "anonymized": {
+      "type": "boolean",
+      "description": "True if the request is anonymized after this call (PII removed or already absent)."
+    }
+  },
+  "required": ["requestId", "anonymized"],
+  "additionalProperties": false
+}

src/main/java/org/folio/circulation/CirculationVerticle.java

@@ -56,6 +56,7 @@
 import org.folio.circulation.resources.foruseatlocation.PickupByBarcodeResource;
 import org.folio.circulation.support.logging.LogHelper;
 import org.folio.circulation.support.logging.Logging;
+import org.folio.circulation.resources.RequestAnonymizationResource;
 
 import io.vertx.core.AbstractVerticle;
 import io.vertx.core.Promise;
@@ -145,6 +146,7 @@ public void start(Promise<Void> startFuture) {
     new ScheduledDigitalRemindersProcessingResource(client).register(router);
     new DueDateNotRealTimeScheduledNoticeProcessingResource(client).register(router);
     new RequestScheduledNoticeProcessingResource(client).register(router);
+    new RequestAnonymizationResource(client).register(router);
     new FeeFineScheduledNoticeProcessingResource(client).register(router);
     new FeeFineNotRealTimeScheduledNoticeProcessingResource(client).register(router);
     new OverdueFineScheduledNoticeProcessingResource(client).register(router);

src/main/java/org/folio/circulation/domain/representations/logs/LogEventType.java

@@ -11,7 +11,8 @@ public enum LogEventType {
   REQUEST_CREATED_THROUGH_OVERRIDE("REQUEST_CREATED_THROUGH_OVERRIDE_EVENT"),
   REQUEST_UPDATED("REQUEST_UPDATED_EVENT"),
   REQUEST_MOVED("REQUEST_MOVED_EVENT"),
-  REQUEST_REORDERED("REQUEST_REORDERED_EVENT");
+  REQUEST_REORDERED("REQUEST_REORDERED_EVENT"),
+  REQUEST_ANONYMIZED("REQUEST_ANONYMIZED_EVENT");
 
   private final String value;
 

src/main/java/org/folio/circulation/infrastructure/storage/requests/RequestRepository.java

@@ -20,7 +20,9 @@
 
 import java.lang.invoke.MethodHandles;
 import java.util.Collection;
+import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
+import java.util.function.DoubleUnaryOperator;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;

src/main/java/org/folio/circulation/resources/RequestAnonymizationResource.java

@@ -0,0 +1,43 @@
+package org.folio.circulation.resources;
+
+import io.vertx.core.json.JsonObject;
+import org.folio.circulation.services.EventPublisher;
+import org.folio.circulation.services.RequestAnonymizationService;
+import org.folio.circulation.support.Clients;
+import org.folio.circulation.support.RouteRegistration;
+import org.folio.circulation.support.http.server.JsonHttpResponse;
+import org.folio.circulation.support.http.server.WebContext;
+
+import io.vertx.core.http.HttpClient;
+import io.vertx.ext.web.Router;
+import io.vertx.ext.web.RoutingContext;
+
+public class RequestAnonymizationResource extends Resource {
+  public RequestAnonymizationResource(HttpClient client) {
+    super(client);
+  }
+
+  @Override
+  public void register(Router router) {
+    new RouteRegistration("/request-anonymization/:requestId", router)
+      .create(this::anonymizeRequest);
+  }
+
+  public void anonymizeRequest(RoutingContext routingContext) {
+    final WebContext context = new WebContext(routingContext);
+    final Clients clients = Clients.create(context, client);
+
+    final String requestId = routingContext.request().getParam("requestId");
+
+    final var eventPublisher = new EventPublisher(clients);
+    final var requestAnonymizationService = new RequestAnonymizationService(clients, eventPublisher);
+
+    requestAnonymizationService.anonymizeSingle(requestId)
+      .thenApply(r -> r.map(id ->
+        JsonHttpResponse.ok(new JsonObject()
+          .put("requestId", id)
+          .put("anonymized", true))
+      ))
+      .thenAccept(context::writeResultToHttpResponse);
+  }
+}

src/main/java/org/folio/circulation/services/EventPublisher.java

@@ -35,6 +35,8 @@
 import static org.folio.circulation.support.utils.DateFormatUtil.formatDateTimeOptional;
 
 import java.time.ZoneId;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
 import java.util.Optional;
 import java.util.concurrent.CompletableFuture;
 import org.apache.logging.log4j.LogManager;
@@ -450,6 +452,26 @@ private CompletableFuture<Result<Loan>> publishDueDateChangedEvent(Loan loan, Us
     return completedFuture(succeeded(null));
   }
 
+  public CompletableFuture<Result<Void>> publishRequestAnonymizedLog(Request req) {
+    final Item item = req.getItem();
+    final JsonObject linkToIds = new JsonObject()
+    .put("requestId", req.getId());
+    final JsonObject items = new JsonObject()
+    .put("itemBarcode", item != null ? item.getBarcode() : null)
+    .put("itemId",      item != null ? item.getItemId()   : null)
+    .put("instanceId",  item != null ? item.getInstanceId(): req.getInstanceId())
+    .put("holdingsId",  item != null ? item.getHoldingsRecordId() : req.getHoldingsRecordId());
+    final JsonObject context = new JsonObject()
+    .put("object", "Request")
+    .put("action", "anonymizeRequest")
+    .put("date", ZonedDateTime.now(ZoneOffset.UTC).toInstant().toString())
+    .put("userBarcode", "-")
+    .put("linkToIds", linkToIds)
+    .put("items", items);
+
+    return publishLogRecord(context, LogEventType.REQUEST_ANONYMIZED);
+  }
+
   private String getLoanActionCommentLog(Loan loan) {
     return format(ACTION_COMMENT_TEMPLATE, loan.getActionComment());
   }

src/main/java/org/folio/circulation/services/RequestAnonymizationService.java

@@ -0,0 +1,119 @@
+package org.folio.circulation.services;
+
+import static org.folio.circulation.support.results.Result.failed;
+import static org.folio.circulation.support.results.Result.succeeded;
+import static org.folio.circulation.support.results.ResultBinding.flatMapResult;
+import static org.folio.circulation.support.results.ResultBinding.mapResult;
+
+import java.util.EnumSet;
+import java.util.Set;
+import java.util.concurrent.CompletableFuture;
+
+import org.folio.circulation.domain.Request;
+import org.folio.circulation.domain.RequestFulfillmentPreference;
+import org.folio.circulation.domain.RequestStatus;
+import org.folio.circulation.support.Clients;
+import org.folio.circulation.support.ValidationErrorFailure;
+import org.folio.circulation.support.http.server.ValidationError;
+import org.folio.circulation.support.results.Result;
+import org.folio.circulation.infrastructure.storage.inventory.ItemRepository;
+import org.folio.circulation.infrastructure.storage.loans.LoanRepository;
+import org.folio.circulation.infrastructure.storage.users.UserRepository;
+import org.folio.circulation.infrastructure.storage.requests.RequestRepository;
+import org.folio.util.UuidUtil;
+import io.vertx.core.json.JsonObject;
+
+public class RequestAnonymizationService {
+  private static final Set<RequestStatus> ALLOWED_STATUSES = EnumSet.of(
+    RequestStatus.CLOSED_FILLED,
+    RequestStatus.CLOSED_CANCELLED,
+    RequestStatus.CLOSED_PICKUP_EXPIRED,
+    RequestStatus.CLOSED_UNFILLED
+  );
+
+  private static final Set<RequestStatus> OPEN_STATUSES = EnumSet.of(
+    RequestStatus.OPEN_AWAITING_PICKUP,
+    RequestStatus.OPEN_IN_TRANSIT,
+    RequestStatus.OPEN_NOT_YET_FILLED
+  );
+
+  private final RequestRepository requestRepository;
+  private final EventPublisher eventPublisher;
+
+  public RequestAnonymizationService(Clients clients, EventPublisher eventPublisher) {
+    ItemRepository itemRepository = new ItemRepository(clients);
+    UserRepository userRepository = new UserRepository(clients);
+    LoanRepository loanRepository = new LoanRepository(clients, itemRepository, userRepository);
+
+    this.requestRepository = RequestRepository.using(clients, itemRepository, userRepository, loanRepository);
+
+    this.eventPublisher = eventPublisher;
+  }
+
+  public RequestAnonymizationService(RequestRepository requestRepository,
+      EventPublisher eventPublisher) {
+
+    this.requestRepository = requestRepository;
+    this.eventPublisher = eventPublisher;
+  }
+
+  public CompletableFuture<Result<String>> anonymizeSingle(String requestId) {
+    if (!UuidUtil.isUuid(requestId)) {
+      return CompletableFuture.completedFuture(
+        ValidationErrorFailure.failedValidation("invalidRequestId", "requestId", requestId)
+      );
+    }
+
+    return fetchRequest(requestId)
+      .thenApply(flatMapResult(req -> validateStatus(req, requestId)))
+      .thenApply(mapResult(this::scrubPii))
+      .thenCompose(r -> r.after(requestRepository::update))
+      .thenCompose(r -> r.after(this::publishLog))
+      .thenApply(mapResult(updated -> requestId));
+  }
+
+  private CompletableFuture<Result<Request>> fetchRequest(String requestId) {
+    return requestRepository.getById(requestId);
+  }
+
+  private Result<Request> validateStatus(Request request, String id) {
+    final RequestStatus status = request.getStatus();
+
+    if (ALLOWED_STATUSES.contains(status)) {
+      return succeeded(request);
+    }
+    if (OPEN_STATUSES.contains(status)) {
+      return failed(new ValidationErrorFailure((new ValidationError("requestNotClosed", "requestId", id))));
+    }
+    return failed(new ValidationErrorFailure((new ValidationError("requestNotEligibleForAnonymization", "requestId", id))));
+  }
+
+  private Request scrubPii(Request req) {
+    final JsonObject rep = req.asJson();
+
+    final boolean hadRequester = rep.containsKey("requester") || rep.containsKey("requesterId");
+    final boolean hadProxy = rep.containsKey("proxy") || rep.containsKey("proxyUserId");
+    final boolean isDelivery = req.getfulfillmentPreference() == RequestFulfillmentPreference.DELIVERY;
+    final boolean hadDelivery = isDelivery && (rep.containsKey("deliveryAddress") || rep.containsKey("deliveryAddressTypeId"));
+
+    if (!hadRequester && !hadProxy && (!isDelivery || !hadDelivery)) {
+      return req;
+    }
+
+    rep.putNull("requesterId");
+    rep.putNull("proxyUserId");
+    rep.remove("requester");
+    rep.remove("proxy");
+
+    if (isDelivery) {
+      rep.remove("deliveryAddress");
+      rep.remove("deliveryAddressTypeId");
+    }
+
+    return Request.from(rep);
+  }
+
+  private CompletableFuture<Result<Void>> publishLog(Request req) {
+    return eventPublisher.publishRequestAnonymizedLog(req);
+  }
+}