Merge pull request #26 from companieshouse/lp-204-authentication-interceptor

mattch1 · web-flow · commit b126a0523b03 · 2024-11-12T14:14:34.000Z
LP-204 Introduced user authentication and token permissions
diff --git a/pom.xml b/pom.xml
@@ -27,6 +27,7 @@
         <org.mapstruct.version>1.5.5.Final</org.mapstruct.version>
         <log4j.version>2.24.1</log4j.version>
         <jib-maven-plugin.version>3.4.2</jib-maven-plugin.version>
+        <api-security-java.version>2.0.8</api-security-java.version>
     </properties>
 
     <profiles>
@@ -79,6 +80,11 @@
             <artifactId>api-sdk-java</artifactId>
             <version>${api-sdk-java.version}</version>
         </dependency>
+        <dependency>
+            <groupId>uk.gov.companieshouse</groupId>
+            <artifactId>api-security-java</artifactId>
+            <version>${api-security-java.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.mapstruct</groupId>
             <artifactId>mapstruct</artifactId>
@@ -97,11 +103,6 @@
             <version>${sonar-maven-plugin.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>
diff --git a/src/main/java/uk/gov/companieshouse/limitedpartnershipsapi/config/InterceptorConfig.java b/src/main/java/uk/gov/companieshouse/limitedpartnershipsapi/config/InterceptorConfig.java
@@ -4,16 +4,23 @@
 import org.springframework.lang.NonNull;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import uk.gov.companieshouse.api.interceptor.TokenPermissionsInterceptor;
+import uk.gov.companieshouse.limitedpartnershipsapi.interceptor.CustomUserAuthenticationInterceptor;
 import uk.gov.companieshouse.limitedpartnershipsapi.interceptor.LoggingInterceptor;
 
-
 @Configuration
 public class InterceptorConfig implements WebMvcConfigurer {
 
+    private static final String PARTNERSHIP = "/transactions/**/partnership";
+
     private final LoggingInterceptor loggingInterceptor;
 
-    public InterceptorConfig(LoggingInterceptor loggingInterceptor) {
+    private final CustomUserAuthenticationInterceptor customUserAuthenticationInterceptor;
+
+
+    public InterceptorConfig(LoggingInterceptor loggingInterceptor, CustomUserAuthenticationInterceptor customUserAuthenticationInterceptor) {
         this.loggingInterceptor = loggingInterceptor;
+        this.customUserAuthenticationInterceptor = customUserAuthenticationInterceptor;
     }
 
     /**
@@ -24,5 +31,9 @@ public InterceptorConfig(LoggingInterceptor loggingInterceptor) {
     @Override
     public void addInterceptors(@NonNull InterceptorRegistry registry) {
         registry.addInterceptor(loggingInterceptor);
+        registry.addInterceptor(new TokenPermissionsInterceptor())
+                .addPathPatterns(PARTNERSHIP);
+        registry.addInterceptor(customUserAuthenticationInterceptor)
+                .addPathPatterns(PARTNERSHIP);
     }
 }
diff --git a/src/main/java/uk/gov/companieshouse/limitedpartnershipsapi/interceptor/CustomUserAuthenticationInterceptor.java b/src/main/java/uk/gov/companieshouse/limitedpartnershipsapi/interceptor/CustomUserAuthenticationInterceptor.java
@@ -0,0 +1,57 @@
+package uk.gov.companieshouse.limitedpartnershipsapi.interceptor;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.lang.NonNull;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+import uk.gov.companieshouse.api.util.security.AuthorisationUtil;
+import uk.gov.companieshouse.api.util.security.Permission;
+import uk.gov.companieshouse.api.util.security.SecurityConstants;
+import uk.gov.companieshouse.limitedpartnershipsapi.utils.ApiLogger;
+
+import java.util.HashMap;
+
+import static uk.gov.companieshouse.limitedpartnershipsapi.utils.Constants.ERIC_REQUEST_ID_KEY;
+
+@Component
+public class CustomUserAuthenticationInterceptor implements HandlerInterceptor {
+
+    @Override
+    public boolean preHandle(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull Object handler) {
+        String reqId = request.getHeader(ERIC_REQUEST_ID_KEY);
+
+        if (skipTokenPermissionChecksWhenApiKeyUsed(reqId, request)) {
+            return true;
+        }
+
+        // TokenPermissions should have been set up in the request by TokenPermissionsInterceptor
+        final var tokenPermissions = AuthorisationUtil.getTokenPermissions(request)
+                .orElseThrow(() -> new IllegalStateException("CustomUserAuthenticationInterceptor - TokenPermissions object not present in request"));
+
+        boolean hasCompanyIncorporationCreatePermission = tokenPermissions.hasPermission(Permission.Key.COMPANY_INCORPORATION, Permission.Value.CREATE);
+
+        var authInfoMap = new HashMap<String, Object>();
+        authInfoMap.put("request_method", request.getMethod());
+        authInfoMap.put("has_company_incorporation_create_permission", hasCompanyIncorporationCreatePermission);
+
+        if (hasCompanyIncorporationCreatePermission) {
+            ApiLogger.debugContext(reqId, "CustomUserAuthenticationInterceptor authorised with company_incorporation=create permission",
+                    authInfoMap);
+            return true;
+        }
+        ApiLogger.infoContext(reqId, "CustomUserAuthenticationInterceptor unauthorised", authInfoMap);
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        return false;
+    }
+
+    private boolean skipTokenPermissionChecksWhenApiKeyUsed(String reqId, HttpServletRequest request) {
+        var logMap = new HashMap<String, Object>();
+
+        if (SecurityConstants.API_KEY_IDENTITY_TYPE.equals(AuthorisationUtil.getAuthorisedIdentityType(request))) {
+            ApiLogger.debugContext(reqId, "CustomUserAuthenticationInterceptor skipping token permission checks for api key request", logMap);
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/src/test/java/uk/gov/companieshouse/limitedpartnershipsapi/config/InterceptorConfigTest.java b/src/test/java/uk/gov/companieshouse/limitedpartnershipsapi/config/InterceptorConfigTest.java
@@ -8,9 +8,10 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistration;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import uk.gov.companieshouse.api.interceptor.TokenPermissionsInterceptor;
+import uk.gov.companieshouse.limitedpartnershipsapi.interceptor.CustomUserAuthenticationInterceptor;
 import uk.gov.companieshouse.limitedpartnershipsapi.interceptor.LoggingInterceptor;
 
-
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.inOrder;
 import static org.mockito.Mockito.times;
@@ -29,6 +30,8 @@ class InterceptorConfigTest {
     @Mock
     private LoggingInterceptor loggingInterceptor;
 
+    @Mock
+    private CustomUserAuthenticationInterceptor customUserAuthenticationInterceptor;
 
     @InjectMocks
     private InterceptorConfig interceptorConfig;
@@ -41,7 +44,9 @@ void addInterceptorsTest() {
 
         InOrder inOrder = inOrder(interceptorRegistry, interceptorRegistration);
         inOrder.verify(interceptorRegistry).addInterceptor(loggingInterceptor);
+        inOrder.verify(interceptorRegistry).addInterceptor(any(TokenPermissionsInterceptor.class));
+        inOrder.verify(interceptorRegistry).addInterceptor(customUserAuthenticationInterceptor);
 
-        verify(interceptorRegistry, times(1)).addInterceptor(any());
+        verify(interceptorRegistry, times(3)).addInterceptor(any());
     }
 }
diff --git a/src/test/java/uk/gov/companieshouse/limitedpartnershipsapi/interceptor/CustomUserAuthenticationInterceptorTest.java b/src/test/java/uk/gov/companieshouse/limitedpartnershipsapi/interceptor/CustomUserAuthenticationInterceptorTest.java
@@ -0,0 +1,74 @@
+package uk.gov.companieshouse.limitedpartnershipsapi.interceptor;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.mock.web.MockHttpServletResponse;
+import uk.gov.companieshouse.api.util.security.Permission;
+import uk.gov.companieshouse.api.util.security.SecurityConstants;
+import uk.gov.companieshouse.api.util.security.TokenPermissions;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.when;
+import static uk.gov.companieshouse.limitedpartnershipsapi.utils.Constants.ERIC_REQUEST_ID_KEY;
+
+@ExtendWith(MockitoExtension.class)
+class CustomUserAuthenticationInterceptorTest {
+
+    private static final String REQ_ID = "43hj5jh345";
+    private static final String TOKEN_PERMISSIONS = "token_permissions";
+    public static final String ERIC_IDENTITY_TYPE = "ERIC-Identity-Type";
+
+    @Mock
+    private HttpServletRequest mockHttpServletRequest;
+    @Mock
+    private TokenPermissions mockTokenPermissions;
+    @InjectMocks
+    private CustomUserAuthenticationInterceptor userAuthenticationInterceptor;
+
+    @Test
+    void testInterceptorReturnsTrueWhenRequestHasCorrectTokenPermission() {
+        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
+        Object mockHandler = new Object();
+
+        when(mockHttpServletRequest.getAttribute(TOKEN_PERMISSIONS)).thenReturn(mockTokenPermissions);
+
+        when(mockTokenPermissions.hasPermission(Permission.Key.COMPANY_INCORPORATION, Permission.Value.CREATE)).thenReturn(true);
+
+        var result = userAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, mockHandler);
+        assertTrue(result);
+    }
+
+    @Test
+    void testInterceptorReturnsFalseWhenRequestHasIncorrectTokenPermission() {
+        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
+        Object mockHandler = new Object();
+
+        when(mockHttpServletRequest.getAttribute(TOKEN_PERMISSIONS)).thenReturn(mockTokenPermissions);
+
+        when(mockTokenPermissions.hasPermission(Permission.Key.COMPANY_INCORPORATION, Permission.Value.CREATE)).thenReturn(false);
+
+        var result = userAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, mockHandler);
+        assertFalse(result);
+        assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
+    }
+
+    @Test
+    void testTokenPermissionIsSkippedAndInterceptorReturnsTrueWhenAnApiKeyIsUsed() {
+        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
+        Object mockHandler = new Object();
+
+        when(mockHttpServletRequest.getHeader(ERIC_REQUEST_ID_KEY)).thenReturn(REQ_ID);
+
+        when(mockHttpServletRequest.getHeader(ERIC_IDENTITY_TYPE)).thenReturn(SecurityConstants.API_KEY_IDENTITY_TYPE);
+
+        var result = userAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, mockHandler);
+        assertTrue(result);
+    }
+}
