refactor: retire get-all endpoints (#959)

Author: paullatzelsperger

e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/KeyPairResourceApiEndToEndTest.java

@@ -711,7 +711,6 @@ void getAll_withDefaultPaging(IdentityHub identityHub) {
 
         @Test
         void getAll_notAuthorized(IdentityHub identityHub) {
-            var attackerToken = authorizeUser("attacker", identityHub);
 
             range(0, 10)
                     .forEach(i -> {
@@ -720,7 +719,19 @@ void getAll_notAuthorized(IdentityHub identityHub) {
                     });
             identityHub.getIdentityEndpoint().baseRequest()
                     .contentType(JSON)
-                    .header(attackerToken)
+                    .get("/v1alpha/keypairs")
+                    .then()
+                    .log().ifValidationFails()
+                    .statusCode(401);
+        }
+
+        @Test
+        void getAll_notAdmin(IdentityHub identityHub) {
+            var userAuth = authorizeUser(PARTICIPANT_CONTEXT_ID, identityHub);
+
+            identityHub.getIdentityEndpoint().baseRequest()
+                    .contentType(JSON)
+                    .header(userAuth)
                     .get("/v1alpha/keypairs")
                     .then()
                     .log().ifValidationFails()

e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/VerifiableCredentialApiEndToEndTest.java

@@ -432,6 +432,46 @@ void getRequest_whenNotFound_shouldReturn404(IdentityHub identityHub) {
                     .statusCode(404);
         }
 
+        @Test
+        void getAll_whenAdmin(IdentityHub identityHub) {
+            var superUserAuth = authorizeUser(SUPER_USER, identityHub);
+            var user1 = "user1";
+            var user2 = "user2";
+            identityHub.createParticipant(user1);
+            identityHub.createParticipant(user2);
+
+            var credential1 = createCredential();
+            var credential2 = createCredential();
+            identityHub.storeCredential(credential1, user1);
+            identityHub.storeCredential(credential2, user2);
+
+            identityHub.getIdentityEndpoint().baseRequest()
+                    .contentType(JSON)
+                    .header(superUserAuth)
+                    .get("/v1alpha/credentials")
+                    .then()
+                    .log().ifValidationFails()
+                    .statusCode(200)
+                    .body(notNullValue());
+        }
+
+        @Test
+        void getAll_whenNotAdmin_expect403(IdentityHub identityHub) {
+            var user = "user1";
+            var userAuth = authorizeUser(user, identityHub);
+
+            var credential = createCredential();
+            identityHub.storeCredential(credential, user);
+
+            identityHub.getIdentityEndpoint().baseRequest()
+                    .contentType(JSON)
+                    .header(userAuth)
+                    .get("/v1alpha/credentials")
+                    .then()
+                    .log().ifValidationFails()
+                    .statusCode(403);
+        }
+
         protected abstract Header authorizeUser(String participantContextId, IdentityHub identityHub);
 
         private VerifiableCredentialManifest.Builder createManifest(String participantContextId, VerifiableCredential vc) {

extensions/api/identity-api/did-api/src/main/java/org/eclipse/edc/identityhub/api/didmanagement/v1/unstable/GetAllDidsApi.java

@@ -46,7 +46,8 @@ public interface GetAllDidsApi {
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
                     @ApiResponse(responseCode = "400", description = "The query was malformed or was not understood by the server.",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
-            }
+            },
+            deprecated = true
     )
     Collection<DidDocument> getAllDids(Integer offset, Integer limit);
 }

extensions/api/identity-api/did-api/src/main/java/org/eclipse/edc/identityhub/api/didmanagement/v1/unstable/GetAllDidsApiController.java

@@ -47,7 +47,8 @@ public GetAllDidsApiController(DidDocumentService documentService) {
     @Override
     @GET
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PROVISIONER})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN })
+    @Deprecated(forRemoval = true, since = "0.17.0")
     public Collection<DidDocument> getAllDids(@DefaultValue("0") @QueryParam("offset") Integer offset,
                                               @DefaultValue("50") @QueryParam("limit") Integer limit) {
         if (offset < 0 || limit < 0) {

extensions/api/identity-api/identity-api-configuration/src/main/resources/identity-api-version.json

@@ -2,7 +2,7 @@
   {
     "version": "1.0.0-alpha",
     "urlPath": "/v1alpha",
-    "lastUpdated": "2026-03-25T11:00:00Z",
+    "lastUpdated": "2026-03-30T11:00:00Z",
     "maturity": null
   }
 ]

extensions/api/identity-api/keypair-api/src/main/java/org/eclipse/edc/identityhub/api/keypair/v1/unstable/GetAllKeyPairsApi.java

@@ -46,7 +46,8 @@ public interface GetAllKeyPairsApi {
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
                     @ApiResponse(responseCode = "400", description = "The query was malformed or was not understood by the server.",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
-            }
+            },
+            deprecated = true
     )
     Collection<KeyPairResource> getAllKeyPairs(Integer offset, Integer limit);
 }

extensions/api/identity-api/keypair-api/src/main/java/org/eclipse/edc/identityhub/api/keypair/v1/unstable/GetAllKeyPairsApiController.java

@@ -46,8 +46,9 @@ public GetAllKeyPairsApiController(KeyPairService keyPairService) {
 
     @GET
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN })
     @Override
+    @Deprecated(forRemoval = true, since = "0.17.0")
     public Collection<KeyPairResource> getAllKeyPairs(@DefaultValue("0") @QueryParam("offset") Integer offset,
                                                       @DefaultValue("50") @QueryParam("limit") Integer limit) {
         return keyPairService.query(QuerySpec.Builder.newInstance().offset(offset).limit(limit).build())

extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/GetAllCredentialsApi.java

@@ -37,15 +37,16 @@ public interface GetAllCredentialsApi {
             operationId = "getAllCredentials",
             parameters = {
                     @Parameter(name = "offset", description = "the paging offset. defaults to 0"),
-                    @Parameter(name = "limit", description = "the page size. defaults to 50")},
+                    @Parameter(name = "limit", description = "the page size. defaults to 50") },
             responses = {
                     @ApiResponse(responseCode = "200", description = "The list of VerifiableCredential resources.",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = VerifiableCredentialResource.class)))),
                     @ApiResponse(responseCode = "401", description = "The request could not be completed, because either the authentication was missing or was not valid.",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
                     @ApiResponse(responseCode = "400", description = "The query was malformed or was not understood by the server.",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
-            }
+            },
+            deprecated = true
     )
     Collection<VerifiableCredentialResource> getAllCredentials(Integer offset, Integer limit);
 }

extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/GetAllCredentialsApiController.java

@@ -46,8 +46,9 @@ public GetAllCredentialsApiController(CredentialStore credentialStore) {
 
     @GET
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN })
     @Override
+    @Deprecated(forRemoval = true, since = "0.17.0")
     public Collection<VerifiableCredentialResource> getAllCredentials(@DefaultValue("0") @QueryParam("offset") Integer offset,
                                                                       @DefaultValue("50") @QueryParam("limit") Integer limit) {
         var res = credentialStore.query(QuerySpec.Builder.newInstance().limit(limit).offset(offset).build());

protocols/dcp/dcp-identityhub/credentials-api-configuration/src/main/resources/credentials-api-version.json

@@ -2,7 +2,7 @@
   {
     "version": "1.0.0",
     "urlPath": "/v1",
-    "lastUpdated": "2026-03-24T09:00:00Z",
+    "lastUpdated": "2026-03-30T09:00:00Z",
     "maturity": "stable"
   }
 ]