LIME-1114: Updated UnHappy Path scenario for invalid headers

to check that when a invalid sessionid is sent to the driving licence endpoint, or authcode is sent in credential issuer endpoint
govuk-one-login · Sep 24, 2024 · a0bf346 · a0bf346
1 parent b7962df
commit a0bf346
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 0 deletions.
diff --git a/...ests/src/test/java/uk/gov/di/ipv/cri/passport/acceptance_tests/pages/PassportAPIPage.java b/...ests/src/test/java/uk/gov/di/ipv/cri/passport/acceptance_tests/pages/PassportAPIPage.java
@@ -33,6 +33,7 @@
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.*;
 
@@ -162,6 +163,79 @@ public void postRequestToPassportEndpoint(
 
         LOGGER.info("passportCheckResponse = " + passportCheckResponse);
 
+        try {
+            CheckPassportSuccessResponse checkPassportSuccessResponse =
+                    objectMapper.readValue(
+                            passportCheckResponse, CheckPassportSuccessResponse.class);
+
+            STATE = checkPassportSuccessResponse.getState();
+            SESSION_ID = checkPassportSuccessResponse.getPassportSessionId();
+
+            LOGGER.info("Found a CheckPassportSuccessResponse");
+
+        } catch (JsonMappingException e) {
+            LOGGER.info("Not a CheckPassportSuccessResponse");
+
+            RETRY = passportCheckResponse;
+            LOGGER.info("RETRY = {}", RETRY);
+        }
+    }
+
+    public void postRequestToPassportEndpointWithInvalidSessionId(
+            String invalidHeaderValue, String passportJsonRequestBody)
+            throws IOException, InterruptedException, NoSuchFieldException, IllegalAccessException {
+        postRequestToPassportEndpointWithInvalidSessionId(
+                invalidHeaderValue, passportJsonRequestBody, "");
+    }
+
+    public void postRequestToPassportEndpointWithInvalidSessionId(
+            String invalidHeaderValue, String passportJsonRequestBody, String jsonEditsString)
+            throws IOException, InterruptedException, NoSuchFieldException, IllegalAccessException {
+        Map<String, String> jsonEdits = new HashMap<>();
+        if (!StringUtils.isEmpty(jsonEditsString)) {
+            jsonEdits = objectMapper.readValue(jsonEditsString, Map.class);
+        }
+
+        String privateApiGatewayUrl = configurationService.getPrivateAPIEndpoint();
+        PassportFormData passportJson =
+                objectMapper.readValue(
+                        new File("src/test/resources/Data/" + passportJsonRequestBody + ".json"),
+                        PassportFormData.class);
+
+        for (Map.Entry<String, String> entry : jsonEdits.entrySet()) {
+            Field field = passportJson.getClass().getDeclaredField(entry.getKey());
+            field.setAccessible(true);
+
+            field.set(passportJson, entry.getValue());
+        }
+        String passportInputJsonString = objectMapper.writeValueAsString(passportJson);
+
+        HttpRequest.Builder builder = HttpRequest.newBuilder();
+        builder.uri(URI.create(privateApiGatewayUrl + "/check-passport"))
+                .setHeader("Accept", "application/json")
+                .setHeader("Content-Type", "application/json")
+                .POST(HttpRequest.BodyPublishers.ofString(passportInputJsonString));
+
+        switch (invalidHeaderValue) {
+            case "invalidSessionId" -> builder.setHeader(
+                    "session_id", UUID.randomUUID().toString());
+            case "malformedSessionId" -> builder.setHeader("session_id", "&%^$£$%");
+            case "missingSessionId" -> builder.setHeader("session_id", "");
+            default -> {
+                /*Do Nothing - No Header Provided*/
+            }
+        }
+
+        HttpRequest request = builder.build();
+        LOGGER.info("passport RequestBody = {}, {}", passportInputJsonString, request.headers());
+        String passportCheckResponse = sendHttpRequest(request).body();
+
+        LOGGER.info("passportCheckResponse = {}", passportCheckResponse);
+
+        String expectedResponseForInvalidSessionId =
+                "{\"oauth_error\":{\"error_description\":\"Session not found\",\"error\":\"access_denied\"}}";
+        assertEquals(expectedResponseForInvalidSessionId, passportCheckResponse);
+
         try {
             CheckPassportSuccessResponse checkPassportSuccessResponse =
                     objectMapper.readValue(
@@ -285,6 +359,26 @@ public void postRequestToPassportVCEndpoint()
         Assert.assertFalse("The 'kid' field suffix should not be empty", kidSuffix.isEmpty());
     }
 
+    public void postRequestToPassportVCEndpointWithInvalidAuthCode()
+            throws IOException, InterruptedException {
+        String publicApiGatewayUrl = configurationService.getPublicAPIEndpoint();
+        String randomAccessToken = UUID.randomUUID().toString();
+        HttpRequest request =
+                HttpRequest.newBuilder()
+                        .uri(URI.create(publicApiGatewayUrl + "/credential/issue"))
+                        .setHeader("Accept", "application/json")
+                        .setHeader("Content-Type", "application/json")
+                        .setHeader("Authorization", "Bearer " + randomAccessToken)
+                        .POST(HttpRequest.BodyPublishers.ofString(""))
+                        .build();
+        String requestPassportVCResponse = sendHttpRequest(request).body();
+        LOGGER.info("requestPassportVCResponse = {}", requestPassportVCResponse);
+
+        String expectedResponseForInvalidAuthCode =
+                "{\"oauth_error\":{\"error_description\":\"Session not found\",\"error\":\"access_denied\"}}";
+        assertEquals(expectedResponseForInvalidAuthCode, requestPassportVCResponse);
+    }
+
     public void validityScoreAndStrengthScoreInVC(String validityScore, String strengthScore)
             throws IOException, InterruptedException, ParseException {
         scoreIs(validityScore, strengthScore, vcBody);

diff --git a/...ava/uk/gov/di/ipv/cri/passport/acceptance_tests/step_definitions/PassportAPIStepDefs.java b/...ava/uk/gov/di/ipv/cri/passport/acceptance_tests/step_definitions/PassportAPIStepDefs.java
@@ -39,6 +39,15 @@ public void passport_user_sends_a_post_request_to_passport_end_point(
         postRequestToPassportEndpoint(passportJsonRequestBody);
     }
 
+    @When(
+            "Passport user sends a POST request to Passport endpoint with a invalid (.*) using jsonRequest (.*)$")
+    public void passport_user_sends_a_post_request_to_passport_end_point_with_invalid_sessionId(
+            String invalidHeaderValue, String passportJsonRequestBody)
+            throws IOException, InterruptedException, NoSuchFieldException, IllegalAccessException {
+        postRequestToPassportEndpointWithInvalidSessionId(
+                invalidHeaderValue, passportJsonRequestBody);
+    }
+
     @When(
             "Passport user sends a editable POST request to Passport endpoint using jsonRequest (.*) with edited fields (.*)$")
     public void passport_user_sends_a_post_request_to_passport_end_point(
@@ -69,6 +78,13 @@ public void user_requests_passport_vc()
         postRequestToPassportVCEndpoint();
     }
 
+    @Then(
+            "User requests Passport CRI VC from the Credential Issuer Endpoint with a invalid Bearer Token value")
+    public void user_requests_passport_vc_with_invalid_headers()
+            throws IOException, InterruptedException {
+        postRequestToPassportVCEndpointWithInvalidAuthCode();
+    }
+
     @And("Passport VC should contain validityScore (.*) and strengthScore (.*)$")
     public void passport_vc_should_contain_validity_score_and_strength_score(
             String validityScore, String strengthScore)

diff --git a/acceptance-tests/src/test/resources/features/passport/PassportCRIAPI.feature b/acceptance-tests/src/test/resources/features/passport/PassportCRIAPI.feature
@@ -55,3 +55,26 @@ Feature: Passport CRI API
       |PassportJsonPayload              | CI  |  Scenario |
       |PassportInvalidCI1JsonPayload    | D01 |  3        |
       |PassportInvalidCI2JsonPayload    | D01 |  4        |
+
+  @hmpoDVAD @pre-merge @dev
+  Scenario Outline: Passport Journey Un-Happy path with invalid sessionId on Passport Endpoint
+    Given Passport user has the user identity in the form of a signed JWT string for CRI Id passport-v1-cri-dev and row number 6
+    And Passport user sends a POST request to session endpoint
+    And Passport user gets a session-id
+    When Passport user sends a POST request to Passport endpoint with a invalid <invalidHeaderValue> using jsonRequest PassportValidKennethJsonPayload
+    Examples:
+      |invalidHeaderValue              |
+      | invalidSessionId               |
+      | malformedSessionId             |
+      | missingSessionId               |
+#      | noSessionHeader                |
+
+  @hmpoDVAD @pre-merge @dev
+  Scenario: Passport Journey Un-Happy path with invalid authCode on Credential Issuer Endpoint
+    Given Passport user has the user identity in the form of a signed JWT string for CRI Id passport-v1-cri-dev and row number 6
+    And Passport user sends a POST request to session endpoint
+    And Passport user gets a session-id
+    When Passport user sends a POST request to Passport endpoint using jsonRequest PassportValidKennethJsonPayload
+    And Passport user gets authorisation code
+    And Passport user sends a POST request to Access Token endpoint passport-v1-cri-dev
+    Then User requests Passport CRI VC from the Credential Issuer Endpoint with a invalid Bearer Token value