Add authorization to SM (#396)

* add authorization to SM

* revert cassettes

* revert cassettes

* fix specs without cassettes

* fix one more

* rubocop

* fix coverage

app/controllers/rx_controller.rb

@@ -12,19 +12,14 @@ class RxController < ApplicationController
   protected
 
   def client
-    @client ||= Rx::Client.new(session: { user_id: mhv_correlation_id })
+    # @client ||= Rx::Client.new(session: { user_id: current_user.mhv_correlation_id })
+    @client ||= Rx::Client.new(session: { user_id: ENV['MHV_USER_ID'] })
   end
 
   # def authorize_rx
-  #   mhv_correlation_id || raise_access_denied
+  #   current_user&.can_access_mhv? || raise_access_denied
   # end
 
-  def mhv_correlation_id
-    # Temporarily disabling token based auth and MVI based integration of fetching mhv id
-    # current_user.mhv_correlation_id
-    ENV['MHV_USER_ID']
-  end
-
   # def raise_access_denied
   #   raise Common::Exceptions::Forbidden, detail: 'You do not have access to prescriptions'
   # end

app/controllers/sm_controller.rb

@@ -4,13 +4,21 @@
 class SMController < ApplicationController
   include ActionController::Serialization
 
-  skip_before_action :authenticate
+  before_action :authorize_sm
   before_action :authenticate_client
 
   protected
 
   def client
-    @client ||= SM::Client.new(session: { user_id: ENV['MHV_SM_USER_ID'] })
+    @client ||= SM::Client.new(session: { user_id: current_user.mhv_correlation_id })
+  end
+
+  def authorize_sm
+    current_user&.can_access_mhv? || raise_access_denied
+  end
+
+  def raise_access_denied
+    raise Common::Exceptions::Forbidden, detail: 'You do not have access to messaging'
   end
 
   def authenticate_client

spec/factories/users.rb

@@ -40,11 +40,17 @@
     end
   end
 
-  factory :prescription_user, class: 'User' do
+  factory :mhv_user, class: 'User' do
     edipi '1234'
     icn '1000123456V123456'
     mhv_id '123456'
     participant_id '12345678'
+    loa do
+      {
+        current: LOA::THREE,
+        highest: LOA::THREE
+      }
+    end
     mvi do
       {
         birth_date: '18090212',

spec/request/attachments_request_spec.rb

@@ -6,15 +6,16 @@
 RSpec.describe 'Messages Integration', type: :request do
   include SM::ClientHelpers
 
-  before(:each) do
-    allow_any_instance_of(ApplicationController).to receive(:authenticate).and_return(true)
-    expect(SM::Client).to receive(:new).once.and_return(authenticated_client)
-  end
-
+  let(:current_user) { build(:mhv_user) }
   let(:user_id) { ENV['MHV_SM_USER_ID'] }
   let(:inbox_id) { 0 }
   let(:message_id) { 573_302 }
 
+  before(:each) do
+    allow_any_instance_of(SMController).to receive(:client).and_return(authenticated_client)
+    use_authenticated_current_user(current_user: current_user)
+  end
+
   describe '#show' do
     it 'responds sending data for an attachment' do
       VCR.use_cassette('sm_client/messages/nested_resources/gets_a_single_attachment_by_id') do

spec/request/breakers_integration_spec.rb

@@ -16,7 +16,7 @@
       token: Rx::ClientHelpers::TOKEN
     )
   end
-  let(:user) { build(:prescription_user) }
+  let(:user) { build(:mhv_user) }
 
   before(:each) do
     allow_any_instance_of(ApplicationController).to receive(:authenticate_token).and_return(:true)

spec/request/folders_request_spec.rb

@@ -6,14 +6,15 @@
 RSpec.describe 'Folders Integration', type: :request do
   include SM::ClientHelpers
 
-  before(:each) do
-    allow_any_instance_of(ApplicationController).to receive(:authenticate).and_return(true)
-    expect(SM::Client).to receive(:new).once.and_return(authenticated_client)
-  end
-
+  let(:current_user) { build(:mhv_user) }
   let(:user_id) { ENV['MHV_SM_USER_ID'] }
   let(:inbox_id) { 0 }
 
+  before(:each) do
+    allow_any_instance_of(SMController).to receive(:client).and_return(authenticated_client)
+    use_authenticated_current_user(current_user: current_user)
+  end
+
   describe '#index' do
     it 'responds to GET #index' do
       VCR.use_cassette('sm_client/folders/gets_a_collection_of_folders') do

spec/request/message_drafts_request_spec.rb

@@ -6,15 +6,16 @@
 RSpec.describe 'Messages Integration', type: :request do
   include SM::ClientHelpers
 
+  let(:current_user) { build(:mhv_user) }
   let(:reply_id)               { 631_270 }
   let(:created_draft_id)       { 655_626 }
   let(:created_draft_reply_id) { 655_628 }
   let(:draft) { attributes_for(:message, body: 'Body 1', subject: 'Subject 1') }
   let(:params) { draft.slice(:category, :subject, :body, :recipient_id) }
 
   before(:each) do
-    allow_any_instance_of(ApplicationController).to receive(:authenticate).and_return(true)
-    expect(SM::Client).to receive(:new).once.and_return(authenticated_client)
+    allow_any_instance_of(SMController).to receive(:client).and_return(authenticated_client)
+    use_authenticated_current_user(current_user: current_user)
   end
 
   describe 'drafts' do

spec/request/messages_request_spec.rb

@@ -6,15 +6,16 @@
 RSpec.describe 'Messages Integration', type: :request do
   include SM::ClientHelpers
 
-  before(:each) do
-    allow_any_instance_of(ApplicationController).to receive(:authenticate).and_return(true)
-    expect(SM::Client).to receive(:new).once.and_return(authenticated_client)
-  end
-
+  let(:current_user) { build(:mhv_user) }
   let(:user_id) { ENV['MHV_SM_USER_ID'] }
   let(:inbox_id) { 0 }
   let(:message_id) { 573_059 }
 
+  before(:each) do
+    allow_any_instance_of(SMController).to receive(:client).and_return(authenticated_client)
+    use_authenticated_current_user(current_user: current_user)
+  end
+
   it 'responds to GET #show' do
     VCR.use_cassette('sm_client/messages/gets_a_message_with_id') do
       get "/v0/messaging/health/messages/#{message_id}"
@@ -145,4 +146,15 @@
       expect(response).to have_http_status(:no_content)
     end
   end
+
+  context 'with an LOA1 user' do
+    let(:current_user) { build(:loa1_user) }
+
+    it 'gives me a 401' do
+      get "/v0/messaging/health/messages/#{message_id}"
+
+      expect(response).not_to be_success
+      expect(response.status).to eq(403)
+    end
+  end
 end

spec/request/prescriptions_request_spec.rb

@@ -6,8 +6,8 @@
 RSpec.describe 'prescriptions', type: :request do
   include Rx::ClientHelpers
 
-  let(:current_user) { build(:prescription_user) }
-  # before(:each)      { use_authenticated_current_user(current_user: current_user) }
+  let(:current_user) { build(:mhv_user) }
+
   before(:each) do
     allow_any_instance_of(RxController).to receive(:client).and_return(authenticated_client)
   end

spec/request/triage_teams_request_spec.rb

@@ -6,9 +6,11 @@
 RSpec.describe 'Triage Teams Integration', type: :request do
   include SM::ClientHelpers
 
+  let(:current_user) { build(:mhv_user) }
+
   it 'responds to GET #index' do
-    allow_any_instance_of(ApplicationController).to receive(:authenticate).and_return(true)
-    expect(SM::Client).to receive(:new).once.and_return(authenticated_client)
+    allow_any_instance_of(SMController).to receive(:client).and_return(authenticated_client)
+    use_authenticated_current_user(current_user: current_user)
 
     VCR.use_cassette('sm_client/triage_teams/gets_a_collection_of_triage_team_recipients') do
       get '/v0/messaging/health/recipients'

spec/spec_helper.rb

@@ -9,6 +9,7 @@
     track_files '{app,lib}/**/*.rb'
     add_filter 'config/initializers/sidekiq.rb'
     add_filter 'config/initializers/statsd.rb'
+    add_filter 'config/initializers/mvi_settings.rb'
     add_filter 'lib/tasks/support/shell_command.rb'
     add_filter 'lib/config_helper.rb'
     add_filter 'lib/feature_flipper.rb'

spec/support/vcr_cassettes/sm_client/messages/nested_resources/gets_a_single_attachment_by_id.yml

@@ -8059,6 +8059,6 @@ http_interactions:
         YXRlADIwMTYtMTAtMDVUMTg6MTE6NDMtMDQ6MDASbwXXAAAAJXRFWHRkYXRl
         Om1vZGlmeQAyMDE2LTEwLTA1VDE4OjExOjQzLTA0OjAwYzK9awAAAABJRU5E
         rkJggg==
-    http_version: 
+    http_version:
   recorded_at: Mon, 24 Oct 2016 09:42:11 GMT
 recorded_with: VCR 3.0.3