feat(cb2-15629): add path for ATI authentication (#172)

dvsa · Jan 8, 2025 · 610f7a8 · 610f7a8
1 parent d172e2b
commit 610f7a8
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 7 deletions.
diff --git a/src/models/user.ts b/src/models/user.ts
@@ -4,4 +4,5 @@ export type AuthorisationJwtBearerToken = {
   email: string,
   preferred_username: string,
   upn: string,
+  appid: string;
 };
diff --git a/src/services/user.ts b/src/services/user.ts
@@ -31,6 +31,19 @@ export const getUserDetails = (jwt: string): UserDetails => {
       return userDetails;
     }
 
+    // Similarly, if the token is from the ATI app, we can set the username and email to ATI_SYSTEM_USER.
+    // We don't want to use the above path as the ATI app is a different entity to the data remediation app.
+
+    // There are possibly multiple app ids per env in VTx based on how Dynamics envs are configured.
+    const atiAppIds = process.env.ATI_APP_IDS?.split(',') ?? [];
+
+    // Longer term, this and the above data bypass would be better served using role based access control.
+    if (!!decodedToken.appid && atiAppIds.includes(decodedToken.appid)) {
+      userDetails.username = 'ATI_SYSTEM_USER';
+      userDetails.email = 'ATI_SYSTEM_USER';
+      return userDetails;
+    }
+
     throw new Error(ERRORS.MISSING_USER_DETAILS);
   }
   return userDetails;

diff --git a/tests/unit/services/users.unit.test.ts b/tests/unit/services/users.unit.test.ts
@@ -7,15 +7,17 @@ describe('Test User Service', () => {
       const header = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9';
       const payload = 'eyJuYW1lIjoiSm9obiBEb2UiLCJvaWQiOjE1MTYyMzkwMjJ9';
       const signature = 'n_aQxbA3-fsgfEdIMS61YGu-u8flaPYESJxRuaFzEXc';
-      const res : UserDetails = getUserDetails(`${header}.${payload}.${signature}`);
-      expect(res.username).toBe('John Doe');
+      const res: UserDetails = getUserDetails(`${header}.${payload}.${signature}`);
+      expect(res.username)
+        .toBe('John Doe');
     });
     it('should throw an error if user details are missing', () => {
       const header = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9';
       const payload = 'eyJvaWQiOjE1MTYyMzkwMjJ9';
       const signature = 'OeYj2GlIUPh1y-xb6UMvq5m8V_nPFX5D_sBA4Fcnmz8';
 
-      expect(() => getUserDetails(`${header}.${payload}.${signature}`)).toThrow(ERRORS.MISSING_USER_DETAILS);
+      expect(() => getUserDetails(`${header}.${payload}.${signature}`))
+        .toThrow(ERRORS.MISSING_USER_DETAILS);
     });
   });
 
@@ -24,17 +26,23 @@ describe('Test User Service', () => {
       process.env.ENABLE_SYSTEM_USER_IMPERSONATION = undefined;
     });
 
+    afterEach(() => {
+      process.env.ENABLE_SYSTEM_USER_IMPERSONATION = undefined;
+    });
+
     it('should successfully get the system user', () => {
       process.env.ENABLE_SYSTEM_USER_IMPERSONATION = 'true';
 
       const header = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9';
       const payload = 'eyJvaWQiOjE1MTYyMzkwMjJ9';
       const signature = 'OeYj2GlIUPh1y-xb6UMvq5m8V_nPFX5D_sBA4Fcnmz8';
 
-      const res : UserDetails = getUserDetails(`${header}.${payload}.${signature}`);
+      const res: UserDetails = getUserDetails(`${header}.${payload}.${signature}`);
 
-      expect(res.username).toBe('SYSTEM_USER');
-      expect(res.email).toBe('SYSTEM_USER');
+      expect(res.username)
+        .toBe('SYSTEM_USER');
+      expect(res.email)
+        .toBe('SYSTEM_USER');
     });
 
     it('should throw an error if the environment variable is not set', () => {
@@ -43,7 +51,32 @@ describe('Test User Service', () => {
       const payload = 'eyJvaWQiOjE1MTYyMzkwMjJ9';
       const signature = 'OeYj2GlIUPh1y-xb6UMvq5m8V_nPFX5D_sBA4Fcnmz8';
 
-      expect(() => getUserDetails(`${header}.${payload}.${signature}`)).toThrow(ERRORS.MISSING_USER_DETAILS);
+      expect(() => getUserDetails(`${header}.${payload}.${signature}`))
+        .toThrow(ERRORS.MISSING_USER_DETAILS);
+    });
+  });
+
+  describe('Should override with ATI system user when the ATI environment variable is set', () => {
+    beforeEach(() => {
+      process.env.ATI_APP_IDS = undefined;
+    });
+
+    afterEach(() => {
+      process.env.ATI_APP_IDS = undefined;
+    });
+
+    it('should successfully get the system user', () => {
+      process.env.ATI_APP_IDS = 'app-id-123';
+
+      // eslint-disable-next-line max-len
+      const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqd3QtYnVpbGRlciIsImlhdCI6MTczNDM2NTcyMywiZXhwIjoxNzY1OTAxNzIzLCJhdWQiOiJzb21lLWF1ZCIsInN1YiI6InNvbWUtc3ViIiwiYXBwaWQiOiJhcHAtaWQtMTIzIiwib2lkIjoib2lkLTEyMyIsImVtYWlsIjoic29tZW9uZUBzb21ld2hlcmUuY29tIn0.itSUmFZOGP6sVAGXzr3rCpTTNd9kL5UB7qou__2EVdI';
+
+      const res: UserDetails = getUserDetails(jwt);
+
+      expect(res.username)
+        .toBe('ATI_SYSTEM_USER');
+      expect(res.email)
+        .toBe('ATI_SYSTEM_USER');
     });
   });
 });