All checks were successful
## What & why S-09b (#75, split from #10) — the **approval flow** that completes the walking skeleton. A behandelaar can now approve a submitted registration; the entry flips from `INGEDIEND` to `INGESCHREVEN` in the public register. Flow: `POST /registrations/{id}/approve` (domain) → ACL sets the zaak eindstatus (ZGW `/statussen`) → OpenZaak → NRC → event-subscriber → projection → openbaar. ## Changes (bottom-up, each red→green TDD) - **Domain** — `RegistrationStatus.Ingeschreven` + `Registration.Approve()` (guards: opened zaak, only from INGEDIEND); `ApproveRegistration` use case (idempotent) + temp `POST /registrations/{id}/approve` endpoint; `IAclClient.ApproveZaakAsync`. - **ACL** — resolves the zaaktype's **eindstatus** from the catalogus (`isEindstatus` / highest volgnummer) and POSTs a ZGW status; exposed as `POST /statussen`. Unit + real-OpenZaak integration test. - **Event-subscriber** — binds NRC `hoofdObject`, projects a `status`/`create` as `INGESCHREVEN` keyed on the zaak (updates the existing row), **without reading OpenZaak** (§8.1). Retains the ZGW `resource` in the log (new column + EF migration) so a rebuild reproduces the status. - **e2e** — extended: submit → public INGEDIEND → approve → public INGESCHREVEN. - **Docs** — ADR-0011 (the two non-obvious decisions + the walking-skeleton assumption) + demo note. ## Key decisions (see ADR-0011) - **ACL discovers the eindstatus** (chosen over injecting a statustype URL): no new config/seed plumbing, domain stays ZGW-ignorant. - **Any post-creation status-set ⇒ INGESCHREVEN**: in the walking skeleton the only status ever set after creation is the approval, and the subscriber may not read ZGW — documented to tighten when more transitions arrive (S-12+). ## Verification - All .NET unit suites green locally (domain 47, acl 11, event-subscriber 14, bff 16, acceptance 7); Release build + `dotnet format` clean. - No new compose config (the eindstatus-discovery approach avoided it). - The real-OpenZaak integration test (ACL status-set) and the full submit→approve→visible e2e run in CI `verify-stack` (live NRC→projection + selectielijst egress, not reproducible locally). closes #75 Reviewed-on: #77
67 lines
2.7 KiB
C#
67 lines
2.7 KiB
C#
using System.Text.Json;
|
|
using EventSubscriber.Application;
|
|
using Projection.ReadModel;
|
|
|
|
var builder = WebApplication.CreateBuilder(args);
|
|
|
|
var connectionString = builder.Configuration.GetConnectionString("Projection")
|
|
?? throw new InvalidOperationException("Missing connection string 'ConnectionStrings:Projection'");
|
|
// The exact Authorization header value Open Notificaties sends on each abonnement callback.
|
|
// NRC probes the callback during registration and refuses it unless it returns 401 without
|
|
// this value (ADR-0007), so the webhook enforces it.
|
|
var webhookToken = builder.Configuration["EventSubscriber:Webhook:AuthToken"]
|
|
?? throw new InvalidOperationException("Missing configuration 'EventSubscriber:Webhook:AuthToken'");
|
|
|
|
builder.Services.AddProjectionReadModel(connectionString);
|
|
builder.Services.AddProjectionWriteSide();
|
|
|
|
var app = builder.Build();
|
|
|
|
// Apply migrations on start so a fresh stack reaches a usable schema unattended.
|
|
await app.Services.MigrateProjectionAsync();
|
|
|
|
app.MapGet("/health", () => "Healthy");
|
|
|
|
// The NRC abonnement callback. Open Notificaties POSTs a notification here; we project it.
|
|
// Auth-on-callback is mandatory: the auth check runs *before* the body is read, so NRC's
|
|
// registration probe (a POST without the configured Authorization, and without a valid
|
|
// notification body) gets the 401 it requires rather than a 400 (ADR-0007).
|
|
app.MapPost("/notifications", async (
|
|
HttpRequest request,
|
|
NotificationProjector projector,
|
|
CancellationToken ct) =>
|
|
{
|
|
if (request.Headers.Authorization != webhookToken)
|
|
return Results.Unauthorized();
|
|
|
|
var dto = await JsonSerializer.DeserializeAsync<NotificationDto>(
|
|
request.Body, SerializerOptions, ct);
|
|
if (dto is null)
|
|
return Results.BadRequest();
|
|
|
|
await projector.HandleAsync(dto.ToNotification(), ct);
|
|
return Results.NoContent();
|
|
});
|
|
|
|
// Admin: rebuild the projection from the durable notification log (PRD §8.4 — rebuildable).
|
|
app.MapPost("/admin/rebuild", async (NotificationProjector projector, CancellationToken ct) =>
|
|
{
|
|
await projector.RebuildAsync(ct);
|
|
return Results.NoContent();
|
|
});
|
|
|
|
await app.RunAsync();
|
|
|
|
/// <summary>The NRC notification body, as Open Notificaties POSTs it. Only the fields the
|
|
/// projection needs are bound; <c>aanmaakdatum</c>/<c>kenmerken</c> are ignored for the minimal slice.</summary>
|
|
public sealed record NotificationDto(string Kanaal, string Resource, string Actie, Uri ResourceUrl, Uri? HoofdObject = null)
|
|
{
|
|
public Notification ToNotification() => new(Kanaal, Resource, Actie, ResourceUrl, HoofdObject);
|
|
}
|
|
|
|
public partial class Program
|
|
{
|
|
// NRC sends camelCase JSON; match it case-insensitively.
|
|
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
|
|
}
|