updates SSOe & SiS Cerner cookie setting log (#27500)

bramleyjl · web-flow · commit 7f6906aef51a · 2026-04-06T14:10:03.000-06:00
* updates SSOe &amp; SiS Cerner cookie setting log

* spec updates
diff --git a/app/controllers/concerns/authentication_and_sso_concerns.rb b/app/controllers/concerns/authentication_and_sso_concerns.rb
@@ -117,7 +117,8 @@ def set_cerner_eligibility_cookie
     }
 
     Rails.logger.info('[SessionsController] Cerner Eligibility', eligible:, previous_value:, cookie_action: :set,
-                                                                 icn: @current_user.icn)
+                                                                 icn: @current_user.icn,
+                                                                 cerner_limited: current_user.cerner_limited?)
   end
 
   def set_session_expiration_header
diff --git a/app/services/sign_in/user_loader.rb b/app/services/sign_in/user_loader.rb
@@ -57,10 +57,18 @@ def validate_account_and_session
     end
 
     def set_cerner_eligibility_cookie
-      cookies.permanent[CERNER_ELIGIBLE_COOKIE_NAME] = {
-        value: current_user.cerner_full?,
+      cookie_name = CERNER_ELIGIBLE_COOKIE_NAME
+      previous_value = ActiveModel::Type::Boolean.new.cast(cookies.signed[cookie_name] || cookies[cookie_name])
+      eligible = current_user.cerner_full?
+
+      cookies.permanent[cookie_name] = {
+        value: eligible,
         domain: IdentitySettings.sign_in.info_cookie_domain
       }
+
+      Rails.logger.info('[SignIn][UserLoader] Cerner Eligibility', eligible:, previous_value:, cookie_action: :set,
+                                                                   icn: user_account.icn,
+                                                                   cerner_limited: current_user.cerner_limited?)
     end
 
     def user_attributes
diff --git a/spec/controllers/v1/sessions_controller_spec.rb b/spec/controllers/v1/sessions_controller_spec.rb
@@ -956,11 +956,16 @@ def expect_logger_msg(level, msg)
         let(:cerner_eligible_cookie) { 'CERNER_ELIGIBLE' }
         let(:expected_log_message) { '[SessionsController] Cerner Eligibility' }
         let(:previous_value) { nil }
-        let(:expected_log_payload) { { eligible:, previous_value:, cookie_action: :set, icn: user.icn } }
+        let(:cerner_limited) { false }
+        let(:expected_log_payload) do
+          { eligible:, previous_value:, cookie_action: :set, icn: user.icn, cerner_limited: }
+        end
 
         before do
           SAMLRequestTracker.create(uuid: login_uuid, payload: { type: 'idme', application: 'some-applicaton' })
           allow(Rails.logger).to receive(:info)
+          allow(IdentitySettings.sign_in).to receive(:info_cookie_domain).and_return('some-domain')
+          allow_any_instance_of(User).to receive(:cerner_limited?).and_return(cerner_limited)
         end
 
         context 'when the cerner eligible cookie is not present' do
@@ -971,12 +976,28 @@ def expect_logger_msg(level, msg)
           context 'when the user is cerner eligible' do
             let(:eligible) { true }
 
-            it 'sets the cookie and logs the cerner eligibility' do
-              call_endpoint
+            context 'and user is cerner_limited' do
+              let(:cerner_limited) { true }
 
-              expect(response.headers['set-cookie']).to include('domain=some-domain')
-              expect(cookies[cerner_eligible_cookie]).to eq(eligible.to_s)
-              expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+              it 'sets the cookie and logs the cerner eligibility' do
+                call_endpoint
+
+                expect(response.headers['set-cookie']).to include('domain=some-domain')
+                expect(cookies[cerner_eligible_cookie]).to eq(eligible.to_s)
+                expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+              end
+            end
+
+            context 'and user is not cerner_limited' do
+              let(:cerner_limited) { false }
+
+              it 'sets the cookie and logs the cerner eligibility' do
+                call_endpoint
+
+                expect(response.headers['set-cookie']).to include('domain=some-domain')
+                expect(cookies[cerner_eligible_cookie]).to eq(eligible.to_s)
+                expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+              end
             end
           end
 
@@ -1001,10 +1022,22 @@ def expect_logger_msg(level, msg)
             cookies[cerner_eligible_cookie] = true
           end
 
-          it 'logs the cerner eligibility with the previous value' do
-            call_endpoint
+          context 'and user is cerner_limited' do
+            let(:cerner_limited) { true }
 
-            expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+            it 'logs the cerner eligibility with the previous value' do
+              call_endpoint
+
+              expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+            end
+          end
+
+          context 'and user is not cerner_limited' do
+            it 'logs the cerner eligibility with the previous value' do
+              call_endpoint
+
+              expect(Rails.logger).to have_received(:info).with(expected_log_message, expected_log_payload)
+            end
           end
         end
 
diff --git a/spec/services/sign_in/user_loader_spec.rb b/spec/services/sign_in/user_loader_spec.rb
@@ -10,6 +10,7 @@
     let(:cookies) do
       hash = {}
       def hash.permanent = self
+      def hash.signed = self
       hash
     end
 
@@ -208,6 +209,7 @@ def hash.permanent = self
             allow(Settings.mhv.oh_facility_checks)
               .to receive(:pretransitioned_oh_facilities)
               .and_return(stub_cerner_facility_ids)
+            allow(Rails.logger).to receive(:info)
           end
 
           context 'fully eligible user' do
@@ -229,6 +231,15 @@ def hash.permanent = self
               expect(Identity::CernerProvisionerJob).to have_received(:perform_async)
                 .with(user_icn, false, :sis)
             end
+
+            it 'logs the cerner eligibility with cerner_limited: false' do
+              subject
+
+              expect(Rails.logger).to have_received(:info).with(
+                '[SignIn][UserLoader] Cerner Eligibility',
+                { eligible: true, previous_value: nil, cookie_action: :set, icn: user_icn, cerner_limited: false }
+              )
+            end
           end
 
           context 'messaging-only user' do
@@ -248,6 +259,15 @@ def hash.permanent = self
               expect(Identity::CernerProvisionerJob).to have_received(:perform_async)
                 .with(user_icn, true, :sis)
             end
+
+            it 'logs the cerner eligibility with cerner_limited: true' do
+              subject
+
+              expect(Rails.logger).to have_received(:info).with(
+                '[SignIn][UserLoader] Cerner Eligibility',
+                { eligible: false, previous_value: nil, cookie_action: :set, icn: user_icn, cerner_limited: true }
+              )
+            end
           end
         end
 

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,8 @@ def set_cerner_eligibility_cookie`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`Rails.logger.info('[SessionsController] Cerner Eligibility', eligible:, previous_value:, cookie_action: :set,`
`120`		`- icn: @current_user.icn)`
	`120`	`+ icn: @current_user.icn,`
	`121`	`+ cerner_limited: current_user.cerner_limited?)`
`121`	`122`	`end`
`122`	`123`
`123`	`124`	`def set_session_expiration_header`