Merge pull request #5244 from DFE-Digital/3650-use-known-tokens

Generate known tokens for parity check on migration DB restore

.github/workflows/refresh_migration_database.yml

@@ -25,3 +25,25 @@ jobs:
         with:
           environment: production
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Login
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+        with:
+          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Install kubectl
+        uses: DFE-Digital/github-actions/set-kubectl@master
+
+      - name: Set AKS credentials (migration)
+        shell: bash
+        run: make ci migration get-cluster-credentials
+
+      - name: Generate known keys
+        shell: bash
+        run: |
+          kubectl -n cpd-production exec -ti --tty deployment/npq-registration-migration-web -- /bin/sh -c "cd /app && bundle exec rails runner \"Migration::ParityCheck::TokenProvider.new.generate!\""
+          

app/services/migration/parity_check/token_provider.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Migration
+  class ParityCheck::TokenProvider
+    class UnsupportedEnvironmentError < RuntimeError; end
+
+    def generate!
+      raise UnsupportedEnvironmentError, "The parity check functionality is disabled for this environment" unless enabled?
+
+      known_tokens_by_lead_provider_ecf_id.each do |id, token|
+        cpd_lead_provider = NPQLeadProvider.find_by!(id:).cpd_lead_provider
+        create_with_known_token!(token:, cpd_lead_provider:) if cpd_lead_provider
+      end
+    end
+
+  private
+
+    def known_tokens_by_lead_provider_ecf_id
+      JSON.parse(ENV["PARITY_CHECK_KEYS"].to_s)
+    rescue JSON::ParserError
+      {}
+    end
+
+    def create_with_known_token!(token:, cpd_lead_provider:)
+      LeadProviderApiToken.create_with_known_token!(token, cpd_lead_provider:)
+    end
+
+    def enabled?
+      Rails.env.migration?
+    end
+  end
+end

spec/services/migration/parity_check/token_provider_spec.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe Migration::ParityCheck::TokenProvider do
+  before do
+    create_list(:npq_lead_provider, 3)
+
+    allow(Rails).to receive(:env) { environment.inquiry }
+
+    allow(ENV).to receive(:[]).and_call_original
+    allow(ENV).to receive(:[]).with("PARITY_CHECK_KEYS").and_return(keys.to_json) if keys
+  end
+
+  let(:instance) { described_class.new }
+
+  describe "#generate!" do
+    subject(:generate) { instance.generate! }
+
+    context "when running in migration" do
+      let(:environment) { "migration" }
+
+      context "when the keys are not present" do
+        let(:keys) { nil }
+
+        it { expect { generate }.not_to change(ApiToken, :count) }
+      end
+
+      context "when the keys are present" do
+        let(:keys) do
+          NPQLeadProvider.all.each_with_object({}) do |lead_provider, hash|
+            hash[lead_provider.id] = SecureRandom.uuid
+          end
+        end
+
+        it { expect { generate }.to change(ApiToken, :count).by(NPQLeadProvider.count) }
+
+        it "generates valid tokens for each lead provider" do
+          generate
+
+          NPQLeadProvider.find_each do |lead_provider|
+            cpd_lead_provider = lead_provider.cpd_lead_provider
+            token = keys[lead_provider.id]
+            expect(ApiToken.find_by_unhashed_token(token).cpd_lead_provider).to eq(cpd_lead_provider)
+          end
+        end
+      end
+    end
+
+    context "when not running in migration" do
+      let(:environment) { "production" }
+      let(:keys) { {} }
+
+      it { expect { generate }.to raise_error(described_class::UnsupportedEnvironmentError, "The parity check functionality is disabled for this environment") }
+    end
+  end
+end