Merge pull request #182 from companieshouse/feature/return-internal-id-if-api-key

Full record to return internal_id when using api key.

Author: clewis1

src/main/java/uk/gov/companieshouse/pscdataapi/config/WebSecurityConfig.java

@@ -6,6 +6,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -17,6 +18,7 @@
 import uk.gov.companieshouse.api.filter.CustomCorsFilter;
 import uk.gov.companieshouse.api.interceptor.InternalUserInterceptor;
 import uk.gov.companieshouse.api.interceptor.UserAuthenticationInterceptor;
+import uk.gov.companieshouse.pscdataapi.interceptor.AuthenticationHelper;
 import uk.gov.companieshouse.pscdataapi.interceptor.AuthenticationHelperImpl;
 import uk.gov.companieshouse.pscdataapi.interceptor.FullRecordAuthenticationInterceptor;
 
@@ -60,7 +62,9 @@ public FullRecordAuthenticationInterceptor fullRecordAuthenticationInterceptor()
         return new FullRecordAuthenticationInterceptor(authenticationHelper());
     }
 
-    public AuthenticationHelperImpl authenticationHelper() {
+    @Bean
+    @Primary
+    public AuthenticationHelper authenticationHelper() {
         return new AuthenticationHelperImpl();
     }
 

src/main/java/uk/gov/companieshouse/pscdataapi/controller/CompanyPscFullRecordGetController.java

@@ -1,5 +1,6 @@
 package uk.gov.companieshouse.pscdataapi.controller;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -10,6 +11,7 @@
 import uk.gov.companieshouse.logging.Logger;
 import uk.gov.companieshouse.logging.LoggerFactory;
 import uk.gov.companieshouse.pscdataapi.exceptions.ResourceNotFoundException;
+import uk.gov.companieshouse.pscdataapi.interceptor.AuthenticationHelper;
 import uk.gov.companieshouse.pscdataapi.logging.DataMapHolder;
 import uk.gov.companieshouse.pscdataapi.service.CompanyPscService;
 
@@ -20,11 +22,14 @@
 public class CompanyPscFullRecordGetController {
     private static final Logger LOGGER = LoggerFactory.getLogger("psc-data-api");
     private static final String GETTING_FULL_RECORD_PSC_DATA_WITH_COMPANY_NUMBER = "Getting Full record PSC data with company number %s";
+    public static final String OAUTH_2 = "oauth2";
 
     private final CompanyPscService pscService;
+    private final AuthenticationHelper authHelper;
 
-    public CompanyPscFullRecordGetController(final CompanyPscService pscService) {
+    public CompanyPscFullRecordGetController(final CompanyPscService pscService, AuthenticationHelper authHelper) {
         this.pscService = pscService;
+        this.authHelper = authHelper;
     }
 
     /**
@@ -37,14 +42,21 @@ public CompanyPscFullRecordGetController(final CompanyPscService pscService) {
     @GetMapping("/individual/{notification_id}/full_record")
     public ResponseEntity<PscIndividualFullRecordApi> getIndividualFullRecordPscData(
             @PathVariable("company_number") final String companyNumber,
-            @PathVariable("notification_id") final String notificationId) {
+            @PathVariable("notification_id") final String notificationId,
+            final HttpServletRequest request) {
+
+        final String identityType = authHelper.getAuthorisedIdentityType(request);
         DataMapHolder.get()
                 .companyNumber(companyNumber)
                 .itemId(notificationId);
         LOGGER.info(String.format(GETTING_FULL_RECORD_PSC_DATA_WITH_COMPANY_NUMBER, companyNumber),
                 DataMapHolder.getLogMap());
         try {
             final PscIndividualFullRecordApi individualFullRecord = pscService.getIndividualFullRecord(companyNumber, notificationId);
+
+            if (identityType.equals(OAUTH_2)) {
+                individualFullRecord.setInternalId(null);
+            }
             return ResponseEntity.ok(individualFullRecord);
         } catch (final ResourceNotFoundException ex) {
             LOGGER.error(ex.getMessage(), DataMapHolder.getLogMap());

src/test/java/uk/gov/companieshouse/pscdataapi/controller/CompanyPscFullRecordGetControllerTest.java

@@ -37,9 +37,11 @@ class CompanyPscFullRecordGetControllerTest {
     private static final String MOCK_COMPANY_NUMBER = "1234567";
     private static final String MOCK_NOTIFICATION_ID = "123456789";
     private static final String ERIC_IDENTITY = "Test-Identity";
-    private static final String ERIC_IDENTITY_TYPE = "key";
+    private static final String ERIC_IDENTITY_TYPE_API_KEY = "key";
+    private static final String ERIC_IDENTITY_TYPE_OAUTH2 = "oauth2";
     private static final String ERIC_PRIVILEGES = "*";
     private static final String ERIC_AUTH_SENSITIVE = "sensitive-data";
+    private static final String ERIC_AUTHORISED_TOKEN_PERMISSIONS_HEADER = "company_pscs=readprotected user_profile=read";
 
     private static final String GET_INDIVIDUAL_FULL_RECORD_URL = String.format(
         "/company/%s/persons-with-significant-control/individual/%s/full_record", MOCK_COMPANY_NUMBER,
@@ -58,8 +60,8 @@ void contextLoads() {
     }
 
     @Test
-    @DisplayName("Should return 200 status with full record data")
-    void getIndividualPSC() throws Exception {
+    @DisplayName("Should return 200 status with full record data when eric_identity_type=key")
+    void getIndividualPSCWithApiKey() throws Exception {
         when(companyPscService.getIndividualFullRecord(MOCK_COMPANY_NUMBER, MOCK_NOTIFICATION_ID)).thenReturn(
             createFullRecord());
 
@@ -105,7 +107,7 @@ void getIndividualPSC() throws Exception {
             """;
 
         mockMvc.perform(get(GET_INDIVIDUAL_FULL_RECORD_URL).header("ERIC-Identity", ERIC_IDENTITY)
-            .header("ERIC-Identity-Type", ERIC_IDENTITY_TYPE)
+            .header("ERIC-Identity-Type", ERIC_IDENTITY_TYPE_API_KEY)
             .contentType(APPLICATION_JSON)
             .header("x-request-id", X_REQUEST_ID)
             .header("ERIC-Authorised-Key-Roles", ERIC_PRIVILEGES)
@@ -114,6 +116,64 @@ void getIndividualPSC() throws Exception {
             .andExpect(content().json(expectedData, true));
     }
 
+    @Test
+    @DisplayName("Should return 200 status with full record data when eric_identity_type=oauth2")
+    void getIndividualPSCWithOauth2() throws Exception {
+        when(companyPscService.getIndividualFullRecord(MOCK_COMPANY_NUMBER, MOCK_NOTIFICATION_ID)).thenReturn(
+            createFullRecord());
+
+        final String expectedData = """
+            {
+              "kind": "individual-person-with-significant-control",
+              "date_of_birth": {
+                "day": 1,
+                "month": 2,
+                "year": 2000
+              },
+              "name": "Andy Bob Smith",
+              "name_elements": {
+                "surname": "Smith",
+                "forename": "Andy",
+                "middle_name": "Bob"
+              },
+              "links": {
+                  "self": "/company/123/persons-with-significant-control/456"
+                },
+              "nationality": "British",
+              "service_address": {
+                "address_line_1": "addressLine1",
+                "postal_code": "CF12 3AB",
+                "premises": "1"
+              },
+              "natures_of_control": [
+                "nature of my control"
+              ],
+              "usual_residential_address": {
+                "address_line_1": "Home street",
+                "postal_code": "AB12 3CD",
+                "premises": "Cottage"
+              },
+              "residential_address_same_as_service_address": false,
+              "verification_state": {
+                "verification_status": "VERIFIED",
+                "verification_start_date": "2025-01-10",
+                "verification_statement_due_date": "2025-02-05"
+              }
+            }
+            """;
+
+        mockMvc.perform(get(GET_INDIVIDUAL_FULL_RECORD_URL).header("ERIC-Identity", ERIC_IDENTITY)
+                .header("ERIC-Identity-Type", ERIC_IDENTITY_TYPE_OAUTH2)
+                .contentType(APPLICATION_JSON)
+                .header("x-request-id", X_REQUEST_ID)
+                .header("ERIC-Authorised-Key-Roles", ERIC_PRIVILEGES)
+                .header("ERIC-Authorised-Key-Privileges", ERIC_AUTH_SENSITIVE)
+                .header("ERIC-Authorised-Token-Permissions", ERIC_AUTHORISED_TOKEN_PERMISSIONS_HEADER)).andExpect(status().isOk())
+            .andDo(print())
+            .andExpect(content().json(expectedData, true));
+    }
+
+
     @Test
     @DisplayName("Should return 404 when Individual PSC not found")
     void shouldReturn404WhenIndividualPscNotFound() throws Exception {
@@ -122,7 +182,7 @@ void shouldReturn404WhenIndividualPscNotFound() throws Exception {
             "Individual PSC document not found in Mongo with id " + MOCK_NOTIFICATION_ID));
 
         mockMvc.perform(get(GET_INDIVIDUAL_FULL_RECORD_URL).header("ERIC-Identity", ERIC_IDENTITY)
-                .header("ERIC-Identity-Type", ERIC_IDENTITY_TYPE)
+                .header("ERIC-Identity-Type", ERIC_IDENTITY_TYPE_API_KEY)
                 .contentType(APPLICATION_JSON)
                 .header("x-request-id", X_REQUEST_ID)
                 .header("ERIC-Authorised-Key-Roles", ERIC_PRIVILEGES)