feat: add delete-holder endpoint (#935)

* feat: add delete-holder endpoint

* checkstyle

* update api version file

Author: paullatzelsperger

e2e-tests/admin-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/HolderApiEndToEndTest.java

@@ -247,6 +247,44 @@ void getById_notAuthorized(IssuerService issuer, HolderService service) {
 
         }
 
+        @Test
+        void deleteHolder(IssuerService issuerService, HolderService service) {
+            var holder = createHolder("test-participant-id", "did:web:foo", "foobar");
+            service.createHolder(holder);
+
+            issuerService.getAdminEndpoint().baseRequest()
+                    .contentType(ContentType.JSON)
+                    .header(authorizeUser(USER, issuerService))
+                    .delete("/v1alpha/participants/%s/holders/%s".formatted(toBase64(USER), "test-participant-id"))
+                    .then()
+                    .statusCode(204);
+        }
+
+        @Test
+        void deleteHolder_notFound(IssuerService issuerService, HolderService service) {
+
+            issuerService.getAdminEndpoint().baseRequest()
+                    .contentType(ContentType.JSON)
+                    .header(authorizeUser(USER, issuerService))
+                    .delete("/v1alpha/participants/%s/holders/%s".formatted(toBase64(USER), "test-participant-id"))
+                    .then()
+                    .statusCode(404);
+        }
+
+        @Test
+        void deleteHolder_notAuthorized(IssuerService issuerService, HolderService service) {
+            issuerService.createParticipant(USER);
+            var holder = createHolder("test-participant-id", "did:web:foo", "foobar");
+            service.createHolder(holder);
+
+            issuerService.getAdminEndpoint().baseRequest()
+                    .contentType(ContentType.JSON)
+                    .header(authorizeUser("anotherUser", issuerService))
+                    .delete("/v1alpha/participants/%s/holders/%s".formatted(toBase64(USER), "test-participant-id"))
+                    .then()
+                    .statusCode(403);
+        }
+
         protected abstract Header authorizeUser(String participantContextId, IssuerService issuerService);
 
         private Holder createHolder(String id, String did, String name) {

extensions/api/issuer-admin-api/holder-api/src/main/java/org/eclipse/edc/issuerservice/api/admin/holder/v1/unstable/IssuerHolderAdminApi.java

@@ -52,6 +52,18 @@ public interface IssuerHolderAdminApi {
     )
     Response addHolder(String participantContextId, HolderDto holder, SecurityContext context);
 
+    @Operation(description = "Delete a holder.",
+            operationId = "deleteHolder",
+            responses = {
+                    @ApiResponse(responseCode = "204", description = "The holder was deleted successfully."),
+                    @ApiResponse(responseCode = "401", description = "The request could not be completed, because either the authentication was missing or was not valid.",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
+                    @ApiResponse(responseCode = "409", description = "Can't add the holder, because a object with the same ID already exists",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json"))
+            }
+    )
+    Response deleteHolder(String participantContextId, String holderId, SecurityContext context);
+
     @Operation(description = "Updates holder data.",
             operationId = "updateHolder",
             requestBody = @RequestBody(content = @Content(schema = @Schema(implementation = HolderDto.class), mediaType = "application/json")),

extensions/api/issuer-admin-api/holder-api/src/main/java/org/eclipse/edc/issuerservice/api/admin/holder/v1/unstable/IssuerHolderAdminApiController.java

@@ -16,6 +16,7 @@
 
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.PUT;
@@ -59,7 +60,7 @@ public IssuerHolderAdminApiController(AuthorizationService authorizationService,
 
     @POST
     @RequiredScope("issuer-admin-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PROVISIONER})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PROVISIONER })
     @Override
     public Response addHolder(@PathParam("participantContextId") String participantContextId, HolderDto holder, @Context SecurityContext context) {
         var decodedParticipantContextId = onEncoded(participantContextId).orElseThrow(InvalidRequestException::new);
@@ -69,9 +70,22 @@ public Response addHolder(@PathParam("participantContextId") String participantC
                 .orElseThrow(exceptionMapper(Holder.class, holder.id()));
     }
 
+    @DELETE
+    @Path("/{holderId}")
+    @RequiredScope("issuer-admin-api:write")
+    @RolesAllowed({ ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PROVISIONER })
+    @Override
+    public Response deleteHolder(@PathParam("participantContextId") String participantContextId, @PathParam("holderId") String holderId, @Context SecurityContext context) {
+        var decodedParticipantContextId = onEncoded(participantContextId).orElseThrow(InvalidRequestException::new);
+        return authorizationService.authorize(context, decodedParticipantContextId, holderId, Holder.class)
+                .compose(u -> holderService.deleteHolder(holderId))
+                .map(v -> Response.noContent().build())
+                .orElseThrow(exceptionMapper(Holder.class, holderId));
+    }
+
     @PUT
     @RequiredScope("issuer-admin-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN })
     @Override
     public Response updateHolder(@PathParam("participantContextId") String participantContextId, HolderDto holder, @Context SecurityContext context) {
         var decodedParticipantContextId = onEncoded(participantContextId).orElseThrow(InvalidRequestException::new);
@@ -83,7 +97,7 @@ public Response updateHolder(@PathParam("participantContextId") String participa
 
     @GET
     @RequiredScope("issuer-admin-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN })
     @Path("/{holderId}")
     @Override
     public Holder getHolderById(@PathParam("participantContextId") String participantContextId, @PathParam("holderId") String holderId, @Context SecurityContext context) {
@@ -96,7 +110,7 @@ public Holder getHolderById(@PathParam("participantContextId") String participan
 
     @POST
     @RequiredScope("issuer-admin-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_PARTICIPANT, ParticipantPrincipal.ROLE_ADMIN })
     @Path("/query")
     @Override
     public Collection<Holder> queryHolders(@PathParam("participantContextId") String participantContextId, QuerySpec querySpec, @Context SecurityContext context) {

extensions/api/issuer-admin-api/holder-api/src/test/java/org/eclipse/edc/issuerservice/api/admin/holder/v1/unstable/IssuerHolderAdminApiControllerTest.java

@@ -150,7 +150,6 @@ void queryHolders() {
                 .allSatisfy(d -> assertThat(d).usingRecursiveComparison().isEqualTo(test));
     }
 
-
     @Test
     void queryHolders_noneFound() {
         when(holderService.queryHolders(any())).thenReturn(ServiceResult.success(Set.of()));
@@ -166,6 +165,43 @@ void queryHolders_noneFound() {
         assertThat(dto).isEmpty();
     }
 
+    @Test
+    void deleteHolder_success() {
+        when(holderService.deleteHolder(any())).thenReturn(ServiceResult.success());
+
+        baseRequest()
+                .delete("/test-id")
+                .then()
+                .log().ifValidationFails()
+                .statusCode(204)
+                .body(emptyString());
+    }
+
+    @Test
+    void deleteHolder_notFound() {
+        when(holderService.deleteHolder(any())).thenReturn(ServiceResult.notFound("not found"));
+
+        baseRequest()
+                .delete("/test-id")
+                .then()
+                .log().ifValidationFails()
+                .statusCode(404)
+                .body(notNullValue());
+    }
+
+    @Test
+    void deleteHolder_whenHasCredentials() {
+        when(holderService.deleteHolder(any())).thenReturn(ServiceResult.conflict("holder has associated credentials"));
+
+        baseRequest()
+                .delete("/test-id")
+                .then()
+                .log().ifValidationFails()
+                .statusCode(409)
+                .body(notNullValue());
+    }
+
+
     @Override
     protected Object controller() {
         return new IssuerHolderAdminApiController(authorizationService, holderService);

extensions/api/issuer-admin-api/issuer-admin-api-configuration/src/main/resources/issuer-admin-api-version.json

@@ -2,7 +2,7 @@
   {
     "version": "1.0.0-alpha",
     "urlPath": "/v1alpha",
-    "lastUpdated": "2026-02-17T16:00:00Z",
+    "lastUpdated": "2026-03-04T15:00:00Z",
     "maturity": null
   }
 ]