Add a service to call the DSI API for user roles

This DSI API endpoint will respond with roles belonging to the user.

.env.development

@@ -4,6 +4,10 @@ DFE_SIGN_IN_CLIENT_ID=checkrecordteacher
 DFE_SIGN_IN_REDIRECT_URL=http://check.localhost:3000/check-records/auth/dfe/callback
 DFE_SIGN_IN_SECRET=override-locally
 DFE_SIGN_IN_ISSUER=https://dev-oidc.signin.education.gov.uk
+DFE_SIGN_IN_API_BASE_URL=https://dev-api.signin.education.gov.uk
+DFE_SIGN_IN_API_SECRET=override-locally
+DFE_SIGN_IN_API_AUDIENCE=signin.education.gov.uk
+DFE_SIGN_IN_API_ROLE_CODES=override-locally
 GOVUK_NOTIFY_API_KEY=override-locally
 HOSTING_DOMAIN=http://localhost:3000
 HOSTING_ENVIRONMENT_NAME=local

.env.test

@@ -3,6 +3,10 @@ DFE_SIGN_IN_CLIENT_ID=checkrecordteacher
 DFE_SIGN_IN_ISSUER=test
 DFE_SIGN_IN_REDIRECT_URL=test
 DFE_SIGN_IN_SECRET=override-locally
+DFE_SIGN_IN_API_BASE_URL=https://dev-api.signin.education.gov.uk
+DFE_SIGN_IN_API_SECRET=override-locally
+DFE_SIGN_IN_API_AUDIENCE=signin.education.gov.uk
+DFE_SIGN_IN_API_ROLE_CODES=override-locally
 GOVUK_NOTIFY_API_KEY=override-locally
 HOSTING_DOMAIN=http://qualifications.localhost
 HOSTING_ENVIRONMENT_NAME=local

app/lib/dfe_sign_in_api/client.rb

@@ -0,0 +1,35 @@
+require "jwt"
+
+module DfESignInApi
+  module Client
+    TIMEOUT_IN_SECONDS = 5
+
+    def client
+      @client ||=
+        Faraday.new(
+          url: ENV.fetch("DFE_SIGN_IN_API_BASE_URL"),
+          request: {
+            timeout: TIMEOUT_IN_SECONDS
+          }
+        ) do |faraday|
+          faraday.request :authorization, "Bearer", jwt
+          faraday.request :json
+          faraday.response :json
+          faraday.adapter Faraday.default_adapter
+        end
+    end
+
+    private
+
+    def jwt
+      @jwt ||= JWT.encode(
+        {
+          iss: ENV.fetch("DFE_SIGN_IN_CLIENT_ID"),
+          aud: ENV.fetch("DFE_SIGN_IN_API_AUDIENCE"),
+        },
+        ENV.fetch("DFE_SIGN_IN_API_SECRET"),
+        "HS256",
+      )
+    end
+  end
+end

app/lib/dfe_sign_in_api/get_user_access_to_service.rb

@@ -0,0 +1,34 @@
+module DfESignInApi
+  class GetUserAccessToService
+    include Client
+
+    attr_reader :org_id, :user_id
+
+    def initialize(org_id:, user_id:)
+      @org_id = org_id
+      @user_id = user_id
+    end
+
+    def call
+      response = client.get(endpoint)
+
+      if response.success? && response.body.key?("roles")
+        response.body["roles"].find { |role| authorised_role_codes.include?(role["code"]) }
+      end
+    end
+
+    private
+
+    def endpoint
+      "/services/#{service_id}/organisations/#{org_id}/users/#{user_id}"
+    end
+
+    def service_id
+      ENV["DFE_SIGN_IN_CLIENT_ID"]
+    end
+
+    def authorised_role_codes
+      ENV.fetch("DFE_SIGN_IN_API_ROLE_CODES").split(",")
+    end
+  end
+end

spec/lib/dfe_sign_in_api/get_user_access_to_service_spec.rb

@@ -0,0 +1,39 @@
+require "rails_helper"
+
+RSpec.describe DfESignInApi::GetUserAccessToService do
+  describe "#call" do
+    let(:org_id) { "123" }
+    let(:user_id) { "456" }
+    let(:role_id) { "789" }
+    let(:role_code) { ENV.fetch("DFE_SIGN_IN_API_ROLE_CODES").split(",").first }
+    let(:endpoint) do
+      "#{ENV.fetch("DFE_SIGN_IN_API_BASE_URL")}/services/checkrecordteacher/organisations/#{org_id}/users/#{user_id}"
+    end
+
+    subject { described_class.new(org_id:, user_id:).call }
+
+    context "when the user is authorised" do
+      before do
+        stub_request(:get, endpoint)
+        .to_return_json(
+          status: 200,
+          body: { "roles" => [{ "id" => role_id, "code" => role_code }] },
+        )
+      end
+
+      it { is_expected.to eq({ "id" => role_id, "code" => role_code }) }
+    end
+
+    context "when the user is not authorised" do
+      before do
+        stub_request(:get, endpoint)
+        .to_return_json(
+          status: 200,
+          body: { "roles" => [{ "id" => role_id, "code" => "Unauthorised_Role" }] },
+        )
+      end
+
+      it { is_expected.to be_nil }
+    end
+  end
+end