Add authorise user constraint system spec

alphagov · Apr 24, 2024 · dded52d · dded52d
1 parent a44f0bf
commit dded52d
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 5 deletions.
diff --git a/lib/gds-sso/railtie.rb b/lib/gds-sso/railtie.rb
@@ -1,16 +1,16 @@
 module GDS
   module SSO
     class Railtie < Rails::Railtie
+      config.action_dispatch.rescue_responses.merge!(
+        "GDS::SSO::PermissionDeniedError" => :forbidden,
+      )
+
       initializer "gds-sso.initializer" do
         GDS::SSO.config do |config|
           config.cache = Rails.cache
           config.api_only = Rails.configuration.api_only
         end
         OmniAuth.config.logger = Rails.logger
-
-        config.action_dispatch.rescue_responses.merge!(
-          "GDS::SSO::PermissionDeniedError" => :forbidden,
-        )
       end
     end
   end

diff --git a/spec/internal/app/controllers/example_controller.rb b/spec/internal/app/controllers/example_controller.rb
@@ -1,7 +1,6 @@
 class ExampleController < ApplicationController
   before_action :authenticate_user!, except: :not_restricted
   before_action -> { authorise_user!("execute") }, only: :this_requires_execute_permission
-
   def not_restricted
     render body: "jabberwocky"
   end
@@ -13,4 +12,8 @@ def restricted
   def this_requires_execute_permission
     render body: "you have execute permission"
   end
+
+  def constraint_restricted
+    render body: "constraint restricted"
+  end
 end
diff --git a/spec/internal/config/routes.rb b/spec/internal/config/routes.rb
@@ -4,4 +4,8 @@
   get "/not-restricted" => "example#not_restricted"
   get "/restricted" => "example#restricted"
   get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
+
+  constraints(GDS::SSO::AuthorisedUserConstraint.new("execute")) do
+    get "/constraint-restricted" => "example#constraint_restricted"
+  end
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -8,6 +8,7 @@
 
 Combustion.initialize! :all do
   config.cache_store = :null_store
+  config.action_dispatch.show_exceptions = :all
 end
 
 require "rspec/rails"

diff --git a/spec/system/authentication_and_authorisation_spec.rb b/spec/system/authentication_and_authorisation_spec.rb
@@ -119,6 +119,27 @@
     end
   end
 
+  context "when accessing a route that is restricted by the authorised user constraint" do
+    it "allows access when an authenticated user has correct permissions" do
+      stub_signon_authenticated(permissions: %w[execute])
+      visit "/constraint-restricted"
+      expect(page).to have_content("constraint restricted")
+    end
+
+    it "redirects an unauthenticated request to signon" do
+      visit "/constraint-restricted"
+      expect(page.response_headers["Location"]).to match("/auth/gds")
+      visit page.response_headers["Location"]
+      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
+    end
+
+    it "restricts access when an authenticated user does not have the correct permissions" do
+      stub_signon_authenticated(permissions: %w[no-access])
+      visit "/constraint-restricted"
+      expect(page.status_code).to eq(403)
+    end
+  end
+
   def stub_signon_authenticated(permissions: [])
     # visit restricted page to trigger redirect URL to record state attribute
     visit "/auth/gds"