Check the role info from DSI API when user logs in

We don't do this if bypassing DSI. The first role to match the list of authorised roles will be recorded in the DsiUserSession along with org info. The absence of a valid role takes the user to the 'Not authorised' page.
DFE-Digital · Sep 7, 2023 · 6a31cbb · 6a31cbb
1 parent 4cd7b60
commit 6a31cbb
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 4 deletions.
diff --git a/app/controllers/check_records/omniauth_callbacks_controller.rb b/app/controllers/check_records/omniauth_callbacks_controller.rb
@@ -4,7 +4,18 @@ class CheckRecords::OmniauthCallbacksController < ApplicationController
   protect_from_forgery except: :dfe_bypass
 
   def dfe
-    @dsi_user = DsiUser.create_or_update_from_dsi(request.env["omniauth.auth"])
+    auth = request.env["omniauth.auth"]
+
+    unless CheckRecords::DfESignIn.bypass?
+      role = DfESignInApi::GetUserAccessToService.new(
+        org_id: auth.extra.raw_info.organisation.id,
+        user_id: auth.uid,
+      ).call
+
+      return redirect_to check_records_not_authorised_path unless role
+    end
+
+    @dsi_user = DsiUser.create_or_update_from_dsi(auth, role)
     session[:dsi_user_id] = @dsi_user.id
     session[:dsi_user_session_expiry] = 2.hours.from_now.to_i
 

diff --git a/app/controllers/check_records/sign_in_controller.rb b/app/controllers/check_records/sign_in_controller.rb
@@ -5,5 +5,8 @@ class SignInController < CheckRecordsController
 
     def new
     end
+
+    def not_authorised
+    end
   end
 end
diff --git a/app/views/check_records/sign_in/not_authorised.html.erb b/app/views/check_records/sign_in/not_authorised.html.erb
@@ -0,0 +1,5 @@
+<h1 class="govuk-heading-l">Authorisation required</h1>
+<p class="govuk-body">
+  You are not authorised to access this service.
+</p>
+
diff --git a/config/routes/check_records.rb b/config/routes/check_records.rb
@@ -6,6 +6,7 @@
   get "/privacy", to: "static#privacy"
 
   get "/sign-in", to: "sign_in#new"
+  get "/not-authorised", to: "sign_in#not_authorised"
   get "/sign-out", to: "sign_out#new"
 
   get "/auth/dfe/callback", to: "omniauth_callbacks#dfe"

diff --git a/spec/support/system/check_records/authentication_steps.rb b/spec/support/system/check_records/authentication_steps.rb
@@ -1,13 +1,13 @@
 module CheckRecords
   module AuthenticationSteps
-    def when_i_sign_in_via_dsi
-      given_dsi_auth_is_mocked
+    def when_i_sign_in_via_dsi(authorised: true)
+      given_dsi_auth_is_mocked(authorised:)
       when_i_visit_the_sign_in_page
       and_click_the_dsi_sign_in_button
     end
     alias_method :and_i_am_signed_in_via_dsi, :when_i_sign_in_via_dsi
 
-    def given_dsi_auth_is_mocked
+    def given_dsi_auth_is_mocked(authorised:)
       OmniAuth.config.mock_auth[:dfe] = OmniAuth::AuthHash.new(
         {
           provider: "dfe",
@@ -16,9 +16,24 @@ def given_dsi_auth_is_mocked
             email: "[email protected]",
             first_name: "Test",
             last_name: "User"
+          },
+          extra: {
+            raw_info: {
+              organisation: {
+                id: org_id,
+              }
+            }
           }
         }
       )
+
+      stub_request(
+        :get,
+        "#{ENV.fetch("DFE_SIGN_IN_API_BASE_URL")}/services/checkrecordteacher/organisations/#{org_id}/users/123456",
+      ).to_return_json(
+        status: 200,
+        body: { "roles" => [{ "code" => (authorised ? role_code : "Unauthorised_Role") }] },
+      )
     end
 
     def when_i_visit_the_sign_in_page
@@ -28,5 +43,13 @@ def when_i_visit_the_sign_in_page
     def and_click_the_dsi_sign_in_button
       click_button "Sign in with DSI"
     end
+
+    def org_id
+      "12345678-1234-1234-1234-123456789012"
+    end
+
+    def role_code
+      ENV.fetch("DFE_SIGN_IN_API_ROLE_CODES").split(",").first
+    end
   end
 end
diff --git a/spec/system/check_records/unauthorised_user_signs_in_spec.rb b/spec/system/check_records/unauthorised_user_signs_in_spec.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "DSI authentication", host: :check_records do
+  include AuthorizationSteps
+  include CheckRecords::AuthenticationSteps
+
+  scenario "Unauthorised user signs in via DfE Sign In", test: :with_stubbed_auth do
+    when_i_am_authorized_with_basic_auth
+    when_i_sign_in_via_dsi(authorised: false)
+    then_i_am_redirected_to_the_unauthorised_page
+  end
+
+  private
+
+  def then_i_am_redirected_to_the_unauthorised_page
+    expect(page).to have_current_path("/check-records/not-authorised")
+    expect(page).to have_content("You are not authorised to access this service")
+  end
+end
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,5 +5,8 @@ class SignInController < CheckRecordsController @@
         def new
         end
+        def not_authorised
+        end
       end
     end