Merge pull request #419 from hmcts/PUB-2363

PUB-2363 - Add SSO user provenance

README.md

@@ -89,7 +89,7 @@ If a publication is PRIVATE or CLASSIFIED, account management is used to validat
 
 For PRIVATE, as long as the user exists in our database, then they are able to see the publication.
 
-For CLASSIFIED, rules are applied based on the List Type and Provenance of the user. For reference, the provenance is which IDAM the user came from (PI_AAD, CFT_IDAM or CRIME_IDAM). The mappings of which provenance can see which list type is defined in the [enum file](./src/main/java/uk/gov/hmcts/reform/pip/account/management/model/ListType.java)
+For CLASSIFIED, rules are applied based on the List Type and Provenance of the user. For reference, the provenance is which IDAM the user came from (PI_AAD, CFT_IDAM, CRIME_IDAM or SSO). The mappings of which provenance can see which list type is defined in the [enum file](./src/main/java/uk/gov/hmcts/reform/pip/account/management/model/ListType.java)
 
 ### Third Party Users
 

build.gradle

@@ -203,7 +203,7 @@ dependencies {
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.9'
   implementation group: 'commons-validator', name: 'commons-validator', version: '1.8.0'
 
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.24', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.25', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
   implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.7.5'

src/functionalTest/java/uk/gov/hmcts/reform/pip/account/management/controllers/AccountTest.java

@@ -201,6 +201,34 @@ void testCreateSingleUser() throws Exception {
         );
     }
 
+    @Test
+    void testCreateSsoUser() throws Exception {
+
+        PiUser validUser = new PiUser();
+        validUser.setEmail("sso@justice.gov.uk");
+        validUser.setProvenanceUserId(UUID.randomUUID().toString());
+        validUser.setUserProvenance(UserProvenances.SSO);
+        validUser.setRoles(Roles.INTERNAL_ADMIN_CTSC);
+
+        MockHttpServletRequestBuilder mockHttpServletRequestBuilder = MockMvcRequestBuilders
+            .post(PI_URL)
+            .content(OBJECT_MAPPER.writeValueAsString(List.of(validUser)))
+            .header(ISSUER_HEADER, SYSTEM_ADMIN_ISSUER_ID)
+            .contentType(MediaType.APPLICATION_JSON);
+
+        MvcResult response = mockMvc.perform(mockHttpServletRequestBuilder).andExpect(status().isCreated()).andReturn();
+        Map<CreationEnum, List<Object>> mappedResponse =
+            OBJECT_MAPPER.readValue(
+                response.getResponse().getContentAsString(),
+                new TypeReference<>() {
+                }
+            );
+
+        assertEquals(1, mappedResponse.get(CreationEnum.CREATED_ACCOUNTS).size(),
+                     "SSO User should be created"
+        );
+    }
+
     @Test
     void testCreateMultipleSuccessUsers() throws Exception {
         User userToReturn = new User();

src/main/java/uk/gov/hmcts/reform/pip/account/management/model/PiUser.java

@@ -45,7 +45,7 @@ public class PiUser {
     private UUID userId;
 
     /**
-     * The Sign in entry system the user was added with. (CFT IDAM, Crime IDAM, P&I AAD).
+     * The Sign in entry system the user was added with. (CFT IDAM, Crime IDAM, P&I AAD, SSO).
      */
     @Enumerated(EnumType.STRING)
     private UserProvenances userProvenance;

src/test/java/uk/gov/hmcts/reform/pip/account/management/service/AccountFilteringServiceTest.java

@@ -32,6 +32,7 @@
 import static org.mockito.Mockito.when;
 import static uk.gov.hmcts.reform.pip.model.account.Roles.ALL_NON_RESTRICTED_ADMIN_ROLES;
 import static uk.gov.hmcts.reform.pip.model.account.UserProvenances.PI_AAD;
+import static uk.gov.hmcts.reform.pip.model.account.UserProvenances.SSO;
 
 @ExtendWith(MockitoExtension.class)
 class AccountFilteringServiceTest {
@@ -206,4 +207,43 @@ void testGetAdminUserByEmailAndProvenanceNotFound() {
         assertTrue(notFoundException.getMessage().contains(PI_AAD.toString()),
                    "Exception message thrown does not contain provenance");
     }
+
+    @Test
+    void testGetAdminUserByEmailAndProvenanceSso() {
+        PiUser user = new PiUser();
+        user.setEmail(EMAIL);
+        user.setUserProvenance(SSO);
+
+        when(userRepository.findByEmailIgnoreCaseAndUserProvenanceAndRolesIn(EMAIL, SSO,
+                                                                             ALL_NON_RESTRICTED_ADMIN_ROLES))
+            .thenReturn(Optional.of(user));
+
+        PiUser returnedUser = accountFilteringService.getAdminUserByEmailAndProvenance(
+            EMAIL, SSO
+        );
+        assertEquals(user, returnedUser, RETURN_USER_ERROR);
+    }
+
+    @Test
+    void testGetAdminUserByEmailAndProvenanceNotFoundSso() {
+        PiUser user = new PiUser();
+        user.setEmail(EMAIL);
+        user.setUserProvenance(SSO);
+
+        when(userRepository.findByEmailIgnoreCaseAndUserProvenanceAndRolesIn(EMAIL, SSO,
+                                                                             ALL_NON_RESTRICTED_ADMIN_ROLES))
+            .thenReturn(Optional.empty());
+
+        NotFoundException notFoundException = assertThrows(
+            NotFoundException.class,
+            () -> accountFilteringService.getAdminUserByEmailAndProvenance(EMAIL, SSO),
+            USER_NOT_FOUND_EXCEPTION_MESSAGE
+        );
+
+        assertTrue(notFoundException.getMessage().contains("t***@hmcts.net"),
+                   "Exception message thrown does not contain email");
+
+        assertTrue(notFoundException.getMessage().contains(SSO.toString()),
+                   "Exception message thrown does not contain provenance");
+    }
 }

src/test/java/uk/gov/hmcts/reform/pip/account/management/service/SensitivityServiceTest.java

@@ -20,10 +20,13 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("PMD.TooManyMethods")
 class SensitivityServiceTest {
 
     SensitivityService sensitivityService = new SensitivityService();
 
+    private static final String SENSITIVITY_MESSAGE = "Returned false for public sensitivity";
+
     @Test
     void checkPublicReturnsTrueWhenVerified() {
         PiUser piUser = new PiUser();
@@ -32,7 +35,7 @@ void checkPublicReturnsTrueWhenVerified() {
 
         assertTrue(
             sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.PUBLIC),
-            "Returned false for public sensitivity");
+            SENSITIVITY_MESSAGE);
     }
 
     @Test
@@ -43,7 +46,29 @@ void checkPublicReturnsTrueWhenNotVerified() {
 
         assertTrue(
             sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.PUBLIC),
-            "Returned false for public sensitivity");
+            SENSITIVITY_MESSAGE);
+    }
+
+    @Test
+    void checkPublicReturnsTrueWhenVerifiedSso() {
+        PiUser piUser = new PiUser();
+        piUser.setRoles(Roles.VERIFIED);
+        piUser.setUserProvenance(UserProvenances.SSO);
+
+        assertTrue(
+            sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.PUBLIC),
+            SENSITIVITY_MESSAGE);
+    }
+
+    @Test
+    void checkPublicReturnsTrueWhenNotVerifiedSso() {
+        PiUser piUser = new PiUser();
+        piUser.setRoles(Roles.INTERNAL_ADMIN_CTSC);
+        piUser.setUserProvenance(UserProvenances.SSO);
+
+        assertTrue(
+            sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.PUBLIC),
+            SENSITIVITY_MESSAGE);
     }
 
     @ParameterizedTest
@@ -73,6 +98,17 @@ void checkPrivateReturnsFalseWhenNotVerified() {
             "Returned true for private sensitivity when not verified");
     }
 
+    @Test
+    void checkPrivateReturnsFalseWhenNotVerifiedSso() {
+        PiUser piUser = new PiUser();
+        piUser.setRoles(Roles.INTERNAL_ADMIN_CTSC);
+        piUser.setUserProvenance(UserProvenances.SSO);
+
+        assertFalse(
+            sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.PRIVATE),
+            "Returned true for private sensitivity when not verified");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Roles.class, names = {
         "VERIFIED", "GENERAL_THIRD_PARTY", "VERIFIED_THIRD_PARTY_CRIME", "VERIFIED_THIRD_PARTY_CFT",
@@ -122,6 +158,28 @@ void checkClassifiedReturnsFalseWhenVerifiedButNotMatchingProvenance() {
             "Returned true for classified sensitivity when verified with incorrect provenance");
     }
 
+    @Test
+    void checkClassifiedReturnsFalseWhenVerifiedButProvenanceIsSso() {
+        PiUser piUser = new PiUser();
+        piUser.setRoles(Roles.VERIFIED);
+        piUser.setUserProvenance(UserProvenances.SSO);
+
+        assertFalse(
+            sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.CLASSIFIED),
+            "Returned true for classified sensitivity when verified but with SSO provenance");
+    }
+
+    @Test
+    void checkClassifiedReturnsFalseWhenAdminButProvenanceIsSso() {
+        PiUser piUser = new PiUser();
+        piUser.setRoles(Roles.INTERNAL_ADMIN_CTSC);
+        piUser.setUserProvenance(UserProvenances.SSO);
+
+        assertFalse(
+            sensitivityService.checkAuthorisation(piUser, ListType.CIVIL_DAILY_CAUSE_LIST, Sensitivity.CLASSIFIED),
+            "Returned true for classified sensitivity when admin user has SSO provenance");
+    }
+
     @ParameterizedTest
     @MethodSource("parameters")
     void checkClassifiedReturnsTrueForAllowedThirdPartyRolesOnly(ListType listType, Roles roles,