-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Check the role info from DSI API when user logs in
We don't do this if bypassing DSI. The first role to match the list of authorised roles will be recorded in the DsiUserSession along with org info. The absence of a valid role takes the user to the 'Not authorised' page.
- Loading branch information
Showing
6 changed files
with
68 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,5 +5,8 @@ class SignInController < CheckRecordsController | |
|
||
def new | ||
end | ||
|
||
def not_authorised | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<h1 class="govuk-heading-l">Authorisation required</h1> | ||
<p class="govuk-body"> | ||
You are not authorised to access this service. | ||
</p> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,13 @@ | ||
module CheckRecords | ||
module AuthenticationSteps | ||
def when_i_sign_in_via_dsi | ||
given_dsi_auth_is_mocked | ||
def when_i_sign_in_via_dsi(authorised: true) | ||
given_dsi_auth_is_mocked(authorised:) | ||
when_i_visit_the_sign_in_page | ||
and_click_the_dsi_sign_in_button | ||
end | ||
alias_method :and_i_am_signed_in_via_dsi, :when_i_sign_in_via_dsi | ||
|
||
def given_dsi_auth_is_mocked | ||
def given_dsi_auth_is_mocked(authorised:) | ||
OmniAuth.config.mock_auth[:dfe] = OmniAuth::AuthHash.new( | ||
{ | ||
provider: "dfe", | ||
|
@@ -16,9 +16,24 @@ def given_dsi_auth_is_mocked | |
email: "[email protected]", | ||
first_name: "Test", | ||
last_name: "User" | ||
}, | ||
extra: { | ||
raw_info: { | ||
organisation: { | ||
id: org_id, | ||
} | ||
} | ||
} | ||
} | ||
) | ||
|
||
stub_request( | ||
:get, | ||
"#{ENV.fetch("DFE_SIGN_IN_API_BASE_URL")}/services/checkrecordteacher/organisations/#{org_id}/users/123456", | ||
).to_return_json( | ||
status: 200, | ||
body: { "roles" => [{ "code" => (authorised ? role_code : "Unauthorised_Role") }] }, | ||
) | ||
end | ||
|
||
def when_i_visit_the_sign_in_page | ||
|
@@ -28,5 +43,13 @@ def when_i_visit_the_sign_in_page | |
def and_click_the_dsi_sign_in_button | ||
click_button "Sign in" | ||
end | ||
|
||
def org_id | ||
"12345678-1234-1234-1234-123456789012" | ||
end | ||
|
||
def role_code | ||
ENV.fetch("DFE_SIGN_IN_API_ROLE_CODES").split(",").first | ||
end | ||
end | ||
end |
21 changes: 21 additions & 0 deletions
21
spec/system/check_records/unauthorised_user_signs_in_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# frozen_string_literal: true | ||
|
||
require "rails_helper" | ||
|
||
RSpec.describe "DSI authentication", host: :check_records do | ||
include AuthorizationSteps | ||
include CheckRecords::AuthenticationSteps | ||
|
||
scenario "Unauthorised user signs in via DfE Sign In", test: :with_stubbed_auth do | ||
when_i_am_authorized_with_basic_auth | ||
when_i_sign_in_via_dsi(authorised: false) | ||
then_i_am_redirected_to_the_unauthorised_page | ||
end | ||
|
||
private | ||
|
||
def then_i_am_redirected_to_the_unauthorised_page | ||
expect(page).to have_current_path("/check-records/not-authorised") | ||
expect(page).to have_content("You are not authorised to access this service") | ||
end | ||
end |