HMAI-122 Add tests for existing AuthorisationFilter (#547)

* add authorisation filter tests to check onward chain is called and errors are generated

Co-authored-by: emmalanigan <emma.lanigan@digital.justice.gov.uk>

* add test to check it generates error when subject distinguished name is null in the request Co-authored-by: emma.lanigan <emma.lanigan@justice.gov.uk>

* mock service in test for unauthorised requested path

* Revert change to mock authorisation service.

---------

Co-authored-by: emmalanigan <emma.lanigan@digital.justice.gov.uk>
Co-authored-by: emmalanigan <emma.lanigan@justice.gov.uk>

Author: 3 people

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/extensions/AuthorisationFilter.kt

@@ -18,34 +18,35 @@ import java.io.IOException
 @Component
 @Order(1)
 @EnableConfigurationProperties(AuthorisationConfig::class)
-class AuthorisationFilter : Filter {
+class AuthorisationFilter
   @Autowired
-  lateinit var authorisationConfig: AuthorisationConfig
+  constructor(
+    var authorisationConfig: AuthorisationConfig,
+  ) : Filter {
+    @Throws(IOException::class, ServletException::class)
+    override fun doFilter(
+      request: ServletRequest,
+      response: ServletResponse?,
+      chain: FilterChain,
+    ) {
+      val req = request as HttpServletRequest
+      val res = response as HttpServletResponse
+      val authoriseConsumerService = AuthoriseConsumerService()
+      val subjectDistinguishedName = req.getAttribute("clientName") as String?
+      val requestedPath = req.requestURI
 
-  @Throws(IOException::class, ServletException::class)
-  override fun doFilter(
-    request: ServletRequest,
-    response: ServletResponse?,
-    chain: FilterChain,
-  ) {
-    val req = request as HttpServletRequest
-    val res = response as HttpServletResponse
-    val authoriseConsumerService = AuthoriseConsumerService()
-    val subjectDistinguishedName = req.getAttribute("clientName") as String?
-    val requestedPath = req.requestURI
+      if (subjectDistinguishedName == null) {
+        res.sendError(HttpServletResponse.SC_FORBIDDEN, "No subject-distinguished-name header provided for authorisation")
+        return
+      }
 
-    if (subjectDistinguishedName == null) {
-      res.sendError(HttpServletResponse.SC_FORBIDDEN, "No subject-distinguished-name header provided for authorisation")
-      return
-    }
+      val result = authoriseConsumerService.execute(subjectDistinguishedName, authorisationConfig.consumers, requestedPath)
 
-    val result = authoriseConsumerService.execute(subjectDistinguishedName, authorisationConfig.consumers, requestedPath)
+      if (!result) {
+        res.sendError(HttpServletResponse.SC_FORBIDDEN, "Unable to authorise $requestedPath for $subjectDistinguishedName")
+        return
+      }
 
-    if (!result) {
-      res.sendError(HttpServletResponse.SC_FORBIDDEN, "Unable to authorise $requestedPath for $subjectDistinguishedName")
-      return
+      chain.doFilter(request, response)
     }
-
-    chain.doFilter(request, response)
   }
-}

src/test/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/extensions/AuthorisationFilterTest.kt

@@ -0,0 +1,70 @@
+package uk.gov.justice.digital.hmpps.hmppsintegrationapi.extensions
+
+import jakarta.servlet.FilterChain
+import jakarta.servlet.http.HttpServletRequest
+import jakarta.servlet.http.HttpServletResponse
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito.mock
+import org.mockito.Mockito.times
+import org.mockito.Mockito.verify
+import org.mockito.kotlin.whenever
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.config.AuthorisationConfig
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.roleconfig.ConsumerConfig
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.roleconfig.ConsumerFilters
+
+class AuthorisationFilterTest {
+  private var authorisationConfig: AuthorisationConfig = AuthorisationConfig()
+  private var authorisationFilter: AuthorisationFilter = AuthorisationFilter(authorisationConfig)
+  private var examplePath: String = "/v1/persons"
+  private var exampleConsumer: String = "consumer-name"
+
+  @Test
+  fun `calls the onward chain`() {
+    // Arrange
+    val mockRequest = mock(HttpServletRequest::class.java)
+    whenever(mockRequest.requestURI).thenReturn(examplePath)
+    whenever(mockRequest.getAttribute("clientName")).thenReturn(exampleConsumer)
+    val mockResponse = mock(HttpServletResponse::class.java)
+    val mockChain = mock(FilterChain::class.java)
+
+    authorisationConfig.consumers = mapOf(exampleConsumer to ConsumerConfig(include = listOf(examplePath), filters = ConsumerFilters(emptyMap())))
+
+    // Act
+    authorisationFilter.doFilter(mockRequest, mockResponse, mockChain)
+
+    // Assert
+    verify(mockChain, times(1)).doFilter(mockRequest, mockResponse)
+  }
+
+  @Test
+  fun `generates error when consumer is unauthorised for requested path`() {
+    val mockRequest = mock(HttpServletRequest::class.java)
+    whenever(mockRequest.requestURI).thenReturn(examplePath)
+    whenever(mockRequest.getAttribute("clientName")).thenReturn(exampleConsumer)
+    val mockResponse = mock(HttpServletResponse::class.java)
+    val mockChain = mock(FilterChain::class.java)
+
+    authorisationConfig.consumers = mapOf(exampleConsumer to ConsumerConfig(include = emptyList(), filters = ConsumerFilters(emptyMap())))
+
+    val authorisationFilter = AuthorisationFilter(authorisationConfig)
+
+    // Act
+    authorisationFilter.doFilter(mockRequest, mockResponse, mockChain)
+
+    // Assert
+    verify(mockResponse, times(1)).sendError(403, "Unable to authorise /v1/persons for consumer-name")
+  }
+
+  @Test
+  fun `generates error when subject distinguished name is null in the request`() {
+    val mockRequest = mock(HttpServletRequest::class.java)
+    whenever(mockRequest.requestURI).thenReturn(examplePath)
+    whenever(mockRequest.getAttribute("clientName")).thenReturn(null)
+    val mockResponse = mock(HttpServletResponse::class.java)
+    val mockChain = mock(FilterChain::class.java)
+
+    authorisationFilter.doFilter(mockRequest, mockResponse, mockChain)
+
+    verify(mockResponse, times(1)).sendError(403, "No subject-distinguished-name header provided for authorisation")
+  }
+}