Skip to content

Commit

Permalink
Check the role info from DSI API when user logs in
Browse files Browse the repository at this point in the history
We don't do this if bypassing DSI.
The first role to match the list of authorised roles will be recorded in the DsiUserSession along with org info.
The absence of a valid role takes the user to the 'Not authorised' page.
  • Loading branch information
steventux committed Sep 13, 2023
1 parent fb9f34f commit edcf6bc
Show file tree
Hide file tree
Showing 6 changed files with 68 additions and 4 deletions.
13 changes: 12 additions & 1 deletion app/controllers/check_records/omniauth_callbacks_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,18 @@ class CheckRecords::OmniauthCallbacksController < ApplicationController
protect_from_forgery except: :dfe_bypass

def dfe
@dsi_user = DsiUser.create_or_update_from_dsi(request.env["omniauth.auth"])
auth = request.env["omniauth.auth"]

unless CheckRecords::DfESignIn.bypass?
role = DfESignInApi::GetUserAccessToService.new(
org_id: auth.extra.raw_info.organisation.id,
user_id: auth.uid,
).call

return redirect_to check_records_not_authorised_path unless role
end

@dsi_user = DsiUser.create_or_update_from_dsi(auth, role)
session[:dsi_user_id] = @dsi_user.id
session[:dsi_user_session_expiry] = 2.hours.from_now.to_i

Expand Down
3 changes: 3 additions & 0 deletions app/controllers/check_records/sign_in_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,8 @@ class SignInController < CheckRecordsController

def new
end

def not_authorised
end
end
end
5 changes: 5 additions & 0 deletions app/views/check_records/sign_in/not_authorised.html.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<h1 class="govuk-heading-l">Authorisation required</h1>
<p class="govuk-body">
You are not authorised to access this service.
</p>

1 change: 1 addition & 0 deletions config/routes/check_records.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
get "/privacy", to: "static#privacy"

get "/sign-in", to: "sign_in#new"
get "/not-authorised", to: "sign_in#not_authorised"
get "/sign-out", to: "sign_out#new"

get "/auth/dfe/callback", to: "omniauth_callbacks#dfe"
Expand Down
29 changes: 26 additions & 3 deletions spec/support/system/check_records/authentication_steps.rb
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
module CheckRecords
module AuthenticationSteps
def when_i_sign_in_via_dsi
given_dsi_auth_is_mocked
def when_i_sign_in_via_dsi(authorised: true)
given_dsi_auth_is_mocked(authorised:)
when_i_visit_the_sign_in_page
and_click_the_dsi_sign_in_button
end
alias_method :and_i_am_signed_in_via_dsi, :when_i_sign_in_via_dsi

def given_dsi_auth_is_mocked
def given_dsi_auth_is_mocked(authorised:)
OmniAuth.config.mock_auth[:dfe] = OmniAuth::AuthHash.new(
{
provider: "dfe",
Expand All @@ -16,9 +16,24 @@ def given_dsi_auth_is_mocked
email: "[email protected]",
first_name: "Test",
last_name: "User"
},
extra: {
raw_info: {
organisation: {
id: org_id,
}
}
}
}
)

stub_request(
:get,
"#{ENV.fetch("DFE_SIGN_IN_API_BASE_URL")}/services/checkrecordteacher/organisations/#{org_id}/users/123456",
).to_return_json(
status: 200,
body: { "roles" => [{ "code" => (authorised ? role_code : "Unauthorised_Role") }] },
)
end

def when_i_visit_the_sign_in_page
Expand All @@ -28,5 +43,13 @@ def when_i_visit_the_sign_in_page
def and_click_the_dsi_sign_in_button
click_button "Sign in"
end

def org_id
"12345678-1234-1234-1234-123456789012"
end

def role_code
ENV.fetch("DFE_SIGN_IN_API_ROLE_CODES").split(",").first
end
end
end
21 changes: 21 additions & 0 deletions spec/system/check_records/unauthorised_user_signs_in_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# frozen_string_literal: true

require "rails_helper"

RSpec.describe "DSI authentication", host: :check_records do
include AuthorizationSteps
include CheckRecords::AuthenticationSteps

scenario "Unauthorised user signs in via DfE Sign In", test: :with_stubbed_auth do
when_i_am_authorized_with_basic_auth
when_i_sign_in_via_dsi(authorised: false)
then_i_am_redirected_to_the_unauthorised_page
end

private

def then_i_am_redirected_to_the_unauthorised_page
expect(page).to have_current_path("/check-records/not-authorised")
expect(page).to have_content("You are not authorised to access this service")
end
end

0 comments on commit edcf6bc

Please sign in to comment.