ES-2961, MOSIP-44503, ES-3003 - Added test cases for JWE test cases & fixed the consent issue

[prathmeshj12]

ES-2961: Added test cases for JWE enc story.
ES-3003: Fixed the consent NOCAPTURE, Authentication test cases.

Summary by CodeRabbit

• Tests
  • Added comprehensive FAPI userinfo JWE test coverage (creation, token, auth-code, authenticate, partial update)
  • Added new smoke tests for JWE userinfo flows and client partial-update scenarios
  • Expanded OAuth/par and consent test scenarios, including consent-no-capture and subsequent-authentication paths
  • Normalized and extended test templates and dependency mappings for end-to-end mock executions

[coderabbitai]

Warning

Rate limit exceeded

@prathmeshj12 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 2 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 322234fc-0953-4edb-a331-37c82dec5bef

📥 Commits

Reviewing files that changed from the base of the PR and between 6ee05ef and 0785019.

📒 Files selected for processing (1)

• api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient.yml

(Note: the hidden artifact above contains the complete, machine-parseable review stack for this PR.)

Walkthrough

This PR adds comprehensive FAPI-JWE (Financial-grade API with JWE encryption) support to the eSignet test suite. It introduces Maven publishing configuration, extends EsignetUtil with dynamic FAPI key selection and new JWE-specific placeholders, adds FAPI-JWE test cases across all OAuth flows (authenticate, authorize, token, userinfo), introduces a new partial OIDC client update endpoint, and fixes consent flow test configurations to correctly reflect subsequent-authentication behavior.

Changes

FAPI-JWE Support and Consent Flow Updates

Layer / File(s)	Summary
Build and Maven Publishing Configuration api-test/pom.xml	Maven POM updated with Sonatype Central publishing: new central.publishing.maven.plugin.version property, <distributionManagement> section, and central-publishing-maven-plugin wiring with ossrh server configuration.
FAPI-JWE Core Support in EsignetUtil api-test/src/main/java/io/mosip/testrig/apirig/esignet/utils/EsignetUtil.java	EsignetUtil extended with FAPI-JWE key support: new OIDC_JWK_FOR_FAPI_JWE constant, oidc_JWK_Key_For_FAPI_JWE cached RSAKey holder, triggerESignetKeyGenForFAPIJWE flag, getFapiJwkKeyName(testCaseName) helper for dynamic FAPI/FAPI-JWE key selection, updated $DPOP_JKT$ / $DPOP_PROOF$ / $DPOP_PROOF_WITH_ACCESS_TOKEN$ handlers to use dynamic key selection, new $OIDC_JWK_KEY_FAPI_JWE$ placeholder, new $CLIENT_ASSERTION_FAPI_JWE_JWT$ placeholder, and expanded $CLIENT_ASSERTION_FAPI_JWT$ to select appropriate FAPI key dynamically. Test-case gating expanded for new FAPI-JWE test cases.
FAPI-JWE OIDC Client Creation and Templates api-test/src/main/resources/esignet/FAPI/FAPICreateOIDCClientV3/*, api-test/src/main/resources/esignet/OidcClient/*	FAPICreateOIDCClient.hbs parameterized userinfo_response_type field for configurable JWE/JWS modes. New JWE test case added to FAPICreateOIDCClient.yml with publicKey set to $OIDC_JWK_KEY_FAPI_JWE$ and userinfo_response_type: "JWE". OIDCClient.yml FAPI smoke test corrected to use OIDCClientFAPI template with FAPI-specific request fields. OIDCClientFAPI.hbs restructured additionalConfig to include require_pkce and new userinfo_response_type field.
FAPI-JWE Authentication and Authorization Flows api-test/src/main/resources/esignet/FAPI/FAPIAuthenticateUser/*, api-test/src/main/resources/esignet/FAPI/FAPIAuthorizationCode/*, api-test/src/main/resources/esignet/FAPI/FAPIGenerateToken/*	FAPIAuthenticateUser.yml adds new forUserInfoJWE smoke test with OTP-based JWE-specific identifiers and sendOtp flow. FAPIAuthorizationCode.yml adds forUserInfoJWE test case with TC_ESignet_FAPI_AuthenticateUserV3_02 dependency. FAPIGenerateToken.yml adjusts output format and adds forUserInfoJWE test case with JWE-specific placeholders for code, client_id, and client_assertion.
FAPI-JWE Userinfo and OAuth Details api-test/src/main/resources/esignet/FAPI/FAPIGetUserInfo/*, api-test/src/main/resources/esignet/FAPI/FAPIOauthDetails/*, api-test/src/main/resources/esignet/FAPI/OauthFAPI/*	FAPIGetUserInfo.yml adds forUserInfoJWE test case with JWE-specific DPoP access token placeholders. FAPIOauthDetails.yml normalizes output JSON format and adds forUserInfoJWE test case. OauthFAPI.yml adds forUserInfoJWE test case using $CLIENT_ASSERTION_FAPI_JWE_JWT$ placeholder while retaining PKCE/DPoP parameters.
FAPI Partial Update OIDC Client - New Endpoint api-test/src/main/resources/esignet/FAPI/FAPIPartialUpdateOIDCClient/*, api-test/testNgXmlFiles/esignetSuite.xml	New FAPI PATCH endpoint for partial OIDC client updates: FAPIPartialUpdateOIDCClient.hbs template with clientId, requestTime, and encPublicKey structure. FAPIPartialUpdateOIDCClient.yml test case targeting /v1/esignet/client-mgmt/client/{clientId}. TestNG suite updated with FAPIPartialUpdateOIDCClient test entry using PatchWithPathParamsAndBody class.
Consent Flow Corrections and End-to-End Updates api-test/src/main/resources/esignet/OAuthDetailsRequest/*, api-test/src/main/resources/esignet/OTPAuthFactorFlow/*, api-test/src/main/resources/esignet/EndToEndFlowWithV3MOCK/*, api-test/src/main/resources/esignet/PartialUpdateOIDCClient/*	OAuthDetailsRequest test cases (including VerifiedClaims and ConsentNoCapture variants) now omit prompt: "consent" to reflect subsequent-authentication flows where consent is stored from initial authentication. AuthenticateConsentNoCapture.yml updated with new description reflecting NOCAPTURE behavior. EndToEndFlow GetOidcUserInfo.yml reorganized with new StatusCode_Valid_Smoke scenario, JWE handling updates, and negative test for empty idpAccessToken (401 response). PartialUpdateOIDCClient.yml expanded with five new test cases covering negative scenarios (invalid alg, invalid clientId, missing kid, duplicate key) and positive test (RSA-OAEP-256). PartialUpdateOIDCClientNegSce.hbs template added for negative test scenarios.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• mosip/esignet#1881: Similar Maven publishing and central-publishing-maven-plugin changes in api-test/pom.xml.
• mosip/esignet#1661: Related updates to test-case dependency mappings and inter-test prerequisites overlapping with this PR's dependency changes.

Suggested reviewers

• mohanachandran-s
• ase-101

Poem

🐰 A rabbit hops through FAPI flows,
With JWE keys snug in rows,
Tests sprout branches, templates bloom,
Consent remembers, no prompt to resume,
Keys sign the tokens—off they go!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding test cases for JWE encryption and fixing consent flow issues, which are reflected throughout the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

api-test/src/main/java/io/mosip/testrig/apirig/esignet/utils/EsignetUtil.java (1)

1060-1087: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard FAPI-JWE assertion signing and stop logging raw JWK content.

Line 1062 logs full key material, and Lines 1083-1084 can execute signing even if RSA parsing failed at Line 1064. That can produce null-key failures and stale token reuse.

🔧 Suggested fix

 if (jsonString.contains("$CLIENT_ASSERTION_FAPI_JWE_JWT$")) {
 	String oidcJWKKeyString = JWKKeyUtil.getJWKKey(OIDC_JWK_FOR_FAPI_JWE);
-	logger.info("oidcJWKKeyString =" + oidcJWKKeyString);
+	logger.debug("Loaded JWK for OIDC_JWK_FOR_FAPI_JWE");
+	RSAKey fapiJweSigningKey = null;
 	try {
-		oidc_JWK_Key_For_FAPI_JWE = RSAKey.parse(oidcJWKKeyString);
-		logger.info("oidc_JWK_Key_For_FAPI_JWE =" + oidc_JWK_Key_For_FAPI_JWE);
+		fapiJweSigningKey = RSAKey.parse(oidcJWKKeyString);
+		oidc_JWK_Key_For_FAPI_JWE = fapiJweSigningKey;
+		logger.debug("Parsed signing key for OIDC_JWK_FOR_FAPI_JWE");
 	} catch (java.text.ParseException e) {
 		logger.error(e.getMessage());
 	}
@@
-	if (clientId != null) {
+	if (clientId != null && fapiJweSigningKey != null) {
 		jsonString = replaceKeywordValue(jsonString, "$CLIENT_ASSERTION_FAPI_JWE_JWT$",
-				signJWKKey(clientId, oidc_JWK_Key_For_FAPI_JWE, tempUrl));
+				signJWKKey(clientId, fapiJweSigningKey, tempUrl));
 	} else {
-		logger.error("Client ID not found in JSON for $CLIENT_ASSERTION_FAPI_JWE_JWT$.");
+		logger.error("Unable to generate $CLIENT_ASSERTION_FAPI_JWE_JWT$: missing client_id or signing key.");
 	}
 }

As per coding guidelines "SECRETS: Flag any credentials or API keys in code or config files."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@api-test/src/main/java/io/mosip/testrig/apirig/esignet/utils/EsignetUtil.java`
around lines 1060 - 1087, Remove logging of raw JWK material and ensure signing
is only attempted when RSA parsing succeeded: stop calling logger.info on
oidcJWKKeyString and remove logging of oidc_JWK_Key_For_FAPI_JWE in EsignetUtil;
after calling RSAKey.parse (reference RSAKey.parse and variable
oidc_JWK_Key_For_FAPI_JWE) check the parse result (or catch block) and only call
signJWKKey(clientId, oidc_JWK_Key_For_FAPI_JWE, tempUrl) when
oidc_JWK_Key_For_FAPI_JWE is non-null and valid; if parsing failed, log a safe
error message (no key material) and skip replacing
"$CLIENT_ASSERTION_FAPI_JWE_JWT$" to avoid null-key signing or stale tokens.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@api-test/src/main/resources/esignet/FAPI/FAPIAuthorizationCode/FAPIAuthorizationCode.yml`:
- Line 29: The additionalDependencies entry currently references the old
producer ID TC_ESignet_FAPI_AuthenticateUser_forUserInfoJWE_01; update the
additionalDependencies value to the new producer ID
TC_ESignet_FAPI_AuthenticateUserV3_02 so the authenticate producer/consumer
sequencing and downstream $ID: resolution remains correct, and then scan other
YAMLs for any consumers or references still pointing at
TC_ESignet_FAPI_AuthenticateUser_forUserInfoJWE_01 and update them to
TC_ESignet_FAPI_AuthenticateUserV3_02 as well to keep dependency IDs in sync.

In
`@api-test/src/main/resources/esignet/FAPI/FAPIPartialUpdateOIDCClient/FAPIPartialUpdateOIDCClient.yml`:
- Around line 2-13: This test entry
ESignet_FAPIPartialUpdateOIDCClient_all_Valid_forUserInfoJWE_Smoke_sid consumes
the producer ID CreateOIDCClientFAPI_all_Valid_forUserInfoJWE_Smoke_sid_clientId
but lacks an explicit dependency; add an additionalDependencies entry (or update
the centralized interdependency config) referencing the producer test that
creates CreateOIDCClientFAPI_all_Valid_forUserInfoJWE_Smoke_sid (the producer
uniqueIdentifier/test name) so the producer runs before
ESignet_FAPIPartialUpdateOIDCClient_all_Valid_forUserInfoJWE_Smoke_sid and
prevents order-related failures.

In
`@api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient.yml`:
- Around line 109-124: This duplicate-key negative test
(ESignet_PartialUpdateOIDCClient_MOCK_Duplicate_EncKey_forUserInfoUpdateJWE_Neg
/ uniqueIdentifier TC_ESignet_PatchOIDCClient_06) must explicitly depend on the
prior test that performs the initial key update so it cannot run first; add an
inline additionalDependencies entry referencing the prior key-update test (the
test that created/updated the same encPublicKey and/or the ID used in input,
e.g. the Create/Update test referenced by
ID:CreateOIDCClientV3_MOCK_all_Valid_forUserInfoToUpdateClient_Smoke or that
test's uniqueIdentifier) so the runner ensures the key is already set before
this duplicate-key scenario executes.

---

Outside diff comments:
In
`@api-test/src/main/java/io/mosip/testrig/apirig/esignet/utils/EsignetUtil.java`:
- Around line 1060-1087: Remove logging of raw JWK material and ensure signing
is only attempted when RSA parsing succeeded: stop calling logger.info on
oidcJWKKeyString and remove logging of oidc_JWK_Key_For_FAPI_JWE in EsignetUtil;
after calling RSAKey.parse (reference RSAKey.parse and variable
oidc_JWK_Key_For_FAPI_JWE) check the parse result (or catch block) and only call
signJWKKey(clientId, oidc_JWK_Key_For_FAPI_JWE, tempUrl) when
oidc_JWK_Key_For_FAPI_JWE is non-null and valid; if parsing failed, log a safe
error message (no key material) and skip replacing
"$CLIENT_ASSERTION_FAPI_JWE_JWT$" to avoid null-key signing or stale tokens.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ffbbaa16-1fd8-47cc-945a-ea354aaae2e6

📥 Commits

Reviewing files that changed from the base of the PR and between d18dabe and bb9aa10.

📒 Files selected for processing (22)

• api-test/pom.xml
• api-test/src/main/java/io/mosip/testrig/apirig/esignet/utils/EsignetUtil.java
• api-test/src/main/resources/esignet/EndToEndFlowWithV3MOCK/userinfo/GetOidcUserInfo.yml
• api-test/src/main/resources/esignet/FAPI/FAPIAuthenticateUser/FAPIAuthenticateUser.yml
• api-test/src/main/resources/esignet/FAPI/FAPIAuthorizationCode/FAPIAuthorizationCode.yml
• api-test/src/main/resources/esignet/FAPI/FAPICreateOIDCClientV3/FAPICreateOIDCClient.hbs
• api-test/src/main/resources/esignet/FAPI/FAPICreateOIDCClientV3/FAPICreateOIDCClient.yml
• api-test/src/main/resources/esignet/FAPI/FAPIGenerateToken/FAPIGenerateToken.yml
• api-test/src/main/resources/esignet/FAPI/FAPIGetUserInfo/FAPIGetUserInfo.yml
• api-test/src/main/resources/esignet/FAPI/FAPIOauthDetails/FAPIOauthDetails.yml
• api-test/src/main/resources/esignet/FAPI/FAPIPartialUpdateOIDCClient/FAPIPartialUpdateOIDCClient.hbs
• api-test/src/main/resources/esignet/FAPI/FAPIPartialUpdateOIDCClient/FAPIPartialUpdateOIDCClient.yml
• api-test/src/main/resources/esignet/FAPI/OauthFAPI/OauthFAPI.yml
• api-test/src/main/resources/esignet/OAuthDetailsRequest/OAuthDetailsRequest.yml
• api-test/src/main/resources/esignet/OTPAuthFactorFlow/ConsentNoCapture/AuthenticateConsentNoCapture/AuthenticateConsentNoCapture.yml
• api-test/src/main/resources/esignet/OTPAuthFactorFlow/ConsentNoCapture/OAuthConsentNoCapture/OAuthConsentNoCapture.yml
• api-test/src/main/resources/esignet/OTPAuthFactorFlow/VerifiedClaims/OAuthDetails/OAuthDetailsRequest.yml
• api-test/src/main/resources/esignet/OidcClient/OIDCClient.yml
• api-test/src/main/resources/esignet/OidcClient/OIDCClientFAPI.hbs
• api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient.yml
• api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClientNegSce.hbs
• api-test/testNgXmlFiles/esignetSuite.xml

💤 Files with no reviewable changes (2)

• api-test/src/main/resources/esignet/OTPAuthFactorFlow/VerifiedClaims/OAuthDetails/OAuthDetailsRequest.yml
• api-test/src/main/resources/esignet/OTPAuthFactorFlow/ConsentNoCapture/OAuthConsentNoCapture/OAuthConsentNoCapture.yml

[prathmeshj12]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient.yml`:
- Line 137: The inputTemplate value currently points to a template named
PartialUpdateOIDCClientNegSce which implies a negative scenario; update the test
to use a correctly named positive template or rename the template to something
neutral/accurate (e.g., PartialUpdateOIDCClientWithInlineJWK) and update the
inputTemplate reference accordingly, or swap it to the existing standard
positive template if one exists so the file's inputTemplate correctly reflects a
positive test case.
- Around line 113-129: Rename the test
ESignet_PartialUpdateOIDCClient_MOCK_Duplicate_EncKey_forUserInfoUpdateJWE_Neg
to reflect idempotency/success rather than a negative case (for example
ESignet_PartialUpdateOIDCClient_MOCK_Duplicate_EncKey_Idempotency_Pos), and
update any matching identifiers or references (uniqueIdentifier
TC_ESignet_PatchOIDCClient_06, inputTemplate
esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient, and any CI/test-suite
references) so the name and metadata consistently indicate this is a
positive/idempotency validation rather than a negative test.
- Around line 36-61: The negative test
ESignet_PartialUpdateOIDCClient_MOCK_Invlalid_alg_value_Neg mixes multiple
invalid fields (kty, n, alg, possibly kid/clientId) which obscures which
validation triggered the error; update the test inputTemplate/input so only the
primary field under test (alg = "" in PartialUpdateOIDCClientNegSce) is invalid
and make all other fields (kty, n, kid, clientId, e, use) valid or canonical
values, and split out separate negative tests for kty and n (and any other
cases) so each test validates a single failure mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 87d49183-65ba-4dbb-a8a6-f623a0c5301f

📥 Commits

Reviewing files that changed from the base of the PR and between bb9aa10 and 6ee05ef.

📒 Files selected for processing (9)

• api-test/src/main/resources/config/testCaseInterDependency_mock.json
• api-test/src/main/resources/config/testCaseInterDependency_mosip-id.json
• api-test/src/main/resources/config/testCaseInterDependency_sunbirdrc.json
• api-test/src/main/resources/esignet/FAPI/FAPIAuthenticateUser/FAPIAuthenticateUser.yml
• api-test/src/main/resources/esignet/FAPI/FAPIAuthorizationCode/FAPIAuthorizationCode.yml
• api-test/src/main/resources/esignet/FAPI/FAPIGenerateToken/FAPIGenerateToken.yml
• api-test/src/main/resources/esignet/FAPI/FAPIOauthDetails/FAPIOauthDetails.yml
• api-test/src/main/resources/esignet/FAPI/FAPIPartialUpdateOIDCClient/FAPIPartialUpdateOIDCClient.yml
• api-test/src/main/resources/esignet/PartialUpdateOIDCClient/PartialUpdateOIDCClient.yml

[zesu22]

Approving because @mohanachandran-s already approved it