Change authenticaton/authorisaton for get order item

kinpang-CH · kinpang-CH · commit 7d9b8a6a881d · 2022-09-06T15:07:15.000+01:00
* Get order item endpoint should succeed if user has admin privileges
diff --git a/src/main/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthenticationInterceptor.java b/src/main/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthenticationInterceptor.java
@@ -56,8 +56,9 @@ private boolean checkAuthenticated(HttpServletRequest request, HttpServletRespon
                 return hasSignedInUser(request, response);
             case GET_PAYMENT_DETAILS:
             case GET_ORDER:
-            case GET_ORDER_ITEM:
                 return hasAuthenticatedClient(request, response);
+            case GET_ORDER_ITEM:
+                return securityManager.checkIdentity() || hasAuthenticatedClient(request, response);
             case GET_CHECKOUT:
             case SEARCH:
                 return securityManager.checkIdentity();
diff --git a/src/main/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthorisationInterceptor.java b/src/main/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthorisationInterceptor.java
@@ -87,8 +87,9 @@ private boolean checkAuthorised(HttpServletRequest request, HttpServletResponse
             case GET_CHECKOUT:
                 return securityManager.checkPermission() || getRequestClientIsAuthorised(request, response, this::getCheckoutUserIsResourceOwner);
             case GET_ORDER:
-            case GET_ORDER_ITEM:
                 return getRequestClientIsAuthorised(request, response, this::getOrderUserIsResourceOwner);
+            case GET_ORDER_ITEM:
+                return securityManager.checkPermission() || getRequestClientIsAuthorised(request, response, this::getOrderUserIsResourceOwner);
             case SEARCH:
                 return securityManager.checkPermission();
             case PATCH_PAYMENT_DETAILS:
diff --git a/src/test/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthenticationInterceptorTests.java b/src/test/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthenticationInterceptorTests.java
@@ -280,6 +280,28 @@ void ordersSearchInvalidIdentity() {
         assertThat(actual, is(false));
     }
 
+    @DisplayName("Authentication for get order item endpoint succeeds if caller identity is valid")
+    @Test
+    void getOrderItemValidIdentity() {
+        when(securityManager.checkIdentity()).thenReturn(true);
+        givenRequest(GET, "/orders/1234/items/5678");
+
+        boolean actual = interceptorUnderTest.preHandle(request, response, handler);
+
+        assertThat(actual, is(true));
+    }
+
+    @DisplayName("Authentication for orders/search endpoint false if caller identity is invalid")
+    @Test
+    void getOrderItemInvalidIdentity() {
+        when(securityManager.checkIdentity()).thenReturn(false);
+        givenRequest(GET, "/orders/1234/items/5678");
+
+        boolean actual = interceptorUnderTest.preHandle(request, response, handler);
+
+        assertThat(actual, is(false));
+    }
+
     @Test
     @DisplayName("preHandle rejects post reprocess order request that is unauthenticated")
     void preHandleRejectsUnauthenticatedPostReprocessOrderRequest() {
diff --git a/src/test/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthorisationInterceptorTests.java b/src/test/java/uk/gov/companieshouse/orders/api/interceptor/UserAuthorisationInterceptorTests.java
@@ -245,6 +245,37 @@ void ordersSearchInvalidAuthorisation() {
         assertThat(actual, is(false));
     }
 
+    @Test
+    @DisplayName("Authorisation for get order item endpoint succeeds if caller has admin permissions")
+    void getOrderItemValidAuthorisation() {
+        // given
+        givenRequest(GET, "/orders/1234/items/5678");
+        givenRequestHasSignedInUser(ERIC_IDENTITY_VALUE);
+        givenPathVariable(ORDER_ID_PATH_VARIABLE, "1");
+        when(orderRepository.findById("1")).thenReturn(Optional.of(order));
+        when(securityManager.checkPermission()).thenReturn(true);
+
+        // when
+        boolean actual = interceptorUnderTest.preHandle(request, response, handler);
+
+        // then
+        assertThat(actual, is(true));
+    }
+
+    @DisplayName("Authorisation for get order item endpoint false if caller has admin permissions")
+    @Test
+    void getOrderItemSearchInvalidAuthorisation() {
+        givenRequest(GET, "/orders/1234/items/5678");
+        givenRequestHasSignedInUser(ERIC_IDENTITY_VALUE);
+        givenPathVariable(ORDER_ID_PATH_VARIABLE, "1");
+        when(orderRepository.findById("1")).thenReturn(Optional.of(order));
+        when(securityManager.checkPermission()).thenReturn(false);
+
+        boolean actual = interceptorUnderTest.preHandle(request, response, handler);
+
+        assertThat(actual, is(false));
+    }
+
     @ParameterizedTest(name = "{index}: {0}")
     @MethodSource("apiGetRequestFixtures")
     void preHandleAcceptsAuthorisedInternalApiGetRequest(final String displayName, final String uri) {
