APIS-7076 Add fix to command authorise to disable in subordinate env (#…

…497)
hmrc · May 30, 2024 · 2927981 · 2927981
1 parent 77fca76
commit 2927981
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 11 deletions.
diff --git a/app/uk/gov/hmrc/thirdpartyapplication/services/ApplicationCommandAuthenticator.scala b/app/uk/gov/hmrc/thirdpartyapplication/services/ApplicationCommandAuthenticator.scala
@@ -26,30 +26,43 @@ import uk.gov.hmrc.auth.core.retrieve.Name
 import uk.gov.hmrc.auth.core.retrieve.v2.Retrievals
 import uk.gov.hmrc.http.HeaderCarrier
 
+import uk.gov.hmrc.apiplatform.modules.common.services.ApplicationLogger
 import uk.gov.hmrc.apiplatform.modules.commands.applications.domain.models.{ApplicationCommand, GatekeeperMixin}
 import uk.gov.hmrc.apiplatform.modules.gkauth.connectors.StrideAuthConnector
 import uk.gov.hmrc.apiplatform.modules.gkauth.domain.models.StrideAuthRoles
+import uk.gov.hmrc.thirdpartyapplication.config.AuthControlConfig
 
 @Singleton
 class ApplicationCommandAuthenticator @Inject() (
     strideAuthRoles: StrideAuthRoles,
-    strideAuthConnector: StrideAuthConnector
+    strideAuthConnector: StrideAuthConnector,
+    authControlConfig: AuthControlConfig
   )(implicit ec: ExecutionContext
-  ) {
+  ) extends ApplicationLogger {
 
   def authenticateCommand(cmd: ApplicationCommand)(implicit hc: HeaderCarrier): Future[Boolean] = {
-    cmd match {
-      case gkcmd: ApplicationCommand with GatekeeperMixin => isStrideAuthorised(gkcmd)
-      case _                                              => successful(true)
+    if (authControlConfig.enabled) {
+      cmd match {
+        case gkcmd: ApplicationCommand with GatekeeperMixin => isStrideAuthorised(gkcmd)
+        case _                                              => successful(true)
+      }
+    } else {
+      successful(true)
     }
   }
 
   private def isStrideAuthorised(gkcmd: ApplicationCommand with GatekeeperMixin)(implicit hc: HeaderCarrier): Future[Boolean] = {
     authorise() map {
       case Some(name) => checkName(gkcmd, name)
-      case _          => false
+      case _          => {
+        logger.info("Authorisation failed because authorise returned nothing")
+        false
+      }
     } recover {
-      case NonFatal(_) => false
+      case NonFatal(e) => {
+        logger.info(s"Authorisation failed because authorise threw an exception: ${e.getMessage()}")
+        false
+      }
     }
   }
 
@@ -60,6 +73,16 @@ class ApplicationCommandAuthenticator @Inject() (
   }
 
   private def checkName(gkcmd: ApplicationCommand with GatekeeperMixin, retrieveName: Name): Boolean = {
-    retrieveName.name.fold(false)(name => gkcmd.gatekeeperUser.equalsIgnoreCase(name))
+    retrieveName.name.fold {
+      logger.info("Authorisation failed because name retrieved was empty")
+      false
+    } { name =>
+      if (gkcmd.gatekeeperUser.equalsIgnoreCase(name)) {
+        true
+      } else {
+        logger.info(s"Authorisation failed because name retrieved ($name) was different from name supplied in command (${gkcmd.gatekeeperUser})")
+        false
+      }
+    }
   }
 }
diff --git a/test/uk/gov/hmrc/thirdpartyapplication/services/ApplicationCommandAuthenticatorSpec.scala b/test/uk/gov/hmrc/thirdpartyapplication/services/ApplicationCommandAuthenticatorSpec.scala
@@ -27,6 +27,7 @@ import uk.gov.hmrc.apiplatform.modules.applications.core.domain.models.ClientSec
 import uk.gov.hmrc.apiplatform.modules.commands.applications.domain.models.ApplicationCommands._
 import uk.gov.hmrc.apiplatform.modules.gkauth.domain.models.StrideAuthRoles
 import uk.gov.hmrc.apiplatform.modules.gkauth.services.StrideAuthConnectorMockModule
+import uk.gov.hmrc.thirdpartyapplication.config.AuthControlConfig
 import uk.gov.hmrc.thirdpartyapplication.util.AsyncHmrcSpec
 
 class ApplicationCommandAuthenticatorSpec extends AsyncHmrcSpec with StrideAuthConnectorMockModule with FixedClock {
@@ -37,12 +38,15 @@ class ApplicationCommandAuthenticatorSpec extends AsyncHmrcSpec with StrideAuthC
     val developerAsActor = Actors.AppCollaborator(devEmail)
     val gatekeeperUser   = "gatekeeper.user"
 
-    val strideAuthRoles: StrideAuthRoles = StrideAuthRoles("admin", "super-user", "user")
-    implicit val headers: HeaderCarrier  = HeaderCarrier()
+    val strideAuthRoles: StrideAuthRoles     = StrideAuthRoles("admin", "super-user", "user")
+    val authControlConfig: AuthControlConfig = AuthControlConfig(true, true, "authKey")
+
+    implicit val headers: HeaderCarrier = HeaderCarrier()
 
     val underTest = new ApplicationCommandAuthenticator(
       strideAuthRoles,
-      StrideAuthConnectorMock.aMock
+      StrideAuthConnectorMock.aMock,
+      authControlConfig
     )
   }