Mobile: Update demographics policy and update all associated controll…

…ers and … (#12813) * Update demographics policy and update all associated controllers and service to use policy * Rubocop * Make swagger test pass
department-of-veterans-affairs · May 26, 2023 · 9c2cea3 · 9c2cea3
1 parent 5ecee59
commit 9c2cea3
Show file tree

Hide file tree

Showing 13 changed files with 36 additions and 41 deletions.
diff --git a/app/controllers/v0/profile/gender_identities_controller.rb b/app/controllers/v0/profile/gender_identities_controller.rb
@@ -5,6 +5,7 @@
 module V0
   module Profile
     class GenderIdentitiesController < ApplicationController
+      before_action { authorize :demographics, :access? }
       before_action { authorize :mpi, :queryable? }
 
       def update

diff --git a/app/controllers/v0/profile/personal_informations_controller.rb b/app/controllers/v0/profile/personal_informations_controller.rb
@@ -5,6 +5,7 @@
 module V0
   module Profile
     class PersonalInformationsController < ApplicationController
+      before_action { authorize :demographics, :access? }
       before_action { authorize :mpi, :queryable? }
 
       # Fetches the personal information for the current user.

diff --git a/app/controllers/v0/profile/preferred_names_controller.rb b/app/controllers/v0/profile/preferred_names_controller.rb
@@ -5,6 +5,7 @@
 module V0
   module Profile
     class PreferredNamesController < ApplicationController
+      before_action { authorize :demographics, :access? }
       before_action { authorize :mpi, :queryable? }
 
       def update

diff --git a/app/policies/demographics_policy.rb b/app/policies/demographics_policy.rb
@@ -1,11 +1,22 @@
 # frozen_string_literal: true
 
 DemographicsPolicy = Struct.new(:user, :gender_identity) do
+  def allowed_providers
+    %w[
+      idme
+      oauth_IDME
+      logingov
+      oauth_LOGINGOV
+    ].freeze
+  end
+
   def access?
-    user&.idme_uuid.present? || user&.logingov_uuid.present?
+    user.loa3? &&
+      allowed_providers.include?(user.identity.sign_in[:service_name])
   end
 
   def access_update?
-    user&.idme_uuid.present? || user&.logingov_uuid.present?
+    user.loa3? &&
+      allowed_providers.include?(user.identity.sign_in[:service_name])
   end
 end
diff --git a/lib/va_profile/demographics/service.rb b/lib/va_profile/demographics/service.rb
@@ -19,7 +19,7 @@ class Service < VAProfile::Service
       # Returns a response object containing the user's preferred name, and gender-identity
       def get_demographics
         with_monitoring do
-          return build_response(401, nil) unless identifier_present?
+          return build_response(401, nil) unless DemographicsPolicy.new(@user).access_update?
 
           response = perform(:get, identity_path)
           build_response(response&.status, response&.body)
@@ -57,7 +57,7 @@ def save_gender_identity(gender_identity)
 
       def post_or_put_data(method, model, path, response_class)
         with_monitoring do
-          raise 'User does not have a valid CSP ID' unless identifier_present?
+          raise 'User does not have a valid CSP ID' unless DemographicsPolicy.new(@user).access_update?
 
           model.set_defaults(@user)
           response = perform(method, identity_path(path), model.in_json)
@@ -94,10 +94,6 @@ def build_response(status, body)
 
       private
 
-      def identifier_present?
-        @user&.idme_uuid.present? || @user&.logingov_uuid.present?
-      end
-
       def csp_id_with_aaid
         "#{csp_id}#{aaid}"
       end

diff --git a/modules/mobile/spec/request/gender_identity_request_spec.rb b/modules/mobile/spec/request/gender_identity_request_spec.rb
@@ -12,7 +12,6 @@
 
     before do
       iam_sign_in(FactoryBot.build(:iam_user, :logingov))
-      allow_any_instance_of(User).to receive(:logingov_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
     end
 
     describe 'GET /mobile/v0/gender_identity/edit' do
@@ -38,7 +37,7 @@
         it 'returns a 201' do
           gender_identity = VAProfile::Models::GenderIdentity.new(code: 'F')
 
-          VCR.use_cassette('mobile/va_profile/post_gender_identity_success', erb: { login_uri: }) do
+          VCR.use_cassette('mobile/va_profile/post_gender_identity_success') do
             put('/mobile/v0/user/gender_identity', params: gender_identity.to_h, headers: iam_headers)
             expect(response).to have_http_status(:no_content)
           end
@@ -74,7 +73,6 @@
 
     before do
       iam_sign_in(FactoryBot.build(:iam_user))
-      allow_any_instance_of(User).to receive(:idme_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
     end
 
     describe 'GET /mobile/v0/gender_identity/edit' do
@@ -100,7 +98,7 @@
         it 'returns a 201' do
           gender_identity = VAProfile::Models::GenderIdentity.new(code: 'F')
 
-          VCR.use_cassette('mobile/va_profile/post_gender_identity_success', erb: { login_uri: }) do
+          VCR.use_cassette('mobile/va_profile/post_gender_identity_success') do
             put('/mobile/v0/user/gender_identity', params: gender_identity.to_h, headers: iam_headers)
             expect(response).to have_http_status(:no_content)
           end
@@ -133,7 +131,7 @@
 
   describe 'unauthorized user' do
     before do
-      iam_sign_in(FactoryBot.build(:iam_user))
+      iam_sign_in(FactoryBot.build(:iam_user, :no_multifactor))
     end
 
     describe 'GET /mobile/v0/gender_identity/edit' do

diff --git a/modules/mobile/spec/request/preferred_name_request_spec.rb b/modules/mobile/spec/request/preferred_name_request_spec.rb
@@ -12,14 +12,13 @@
 
     before do
       iam_sign_in(FactoryBot.build(:iam_user, :logingov))
-      allow_any_instance_of(User).to receive(:logingov_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
     end
 
     describe 'PUT /mobile/v0/profile/preferred_names' do
       context 'when text is valid' do
         it 'returns 204', :aggregate_failures do
           preferred_name = VAProfile::Models::PreferredName.new(text: 'Pat')
-          VCR.use_cassette('mobile/va_profile/post_preferred_name_success', erb: { login_uri: }) do
+          VCR.use_cassette('mobile/va_profile/post_preferred_name_success') do
             VCR.use_cassette('mobile/demographics/logingov') do
               put('/mobile/v0/user/preferred_name', params: preferred_name.to_h, headers: iam_headers)
 
@@ -60,14 +59,13 @@
 
     before do
       iam_sign_in(FactoryBot.build(:iam_user))
-      allow_any_instance_of(User).to receive(:idme_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
     end
 
     describe 'PUT /mobile/v0/profile/preferred_names' do
       context 'when text is valid' do
         it 'returns 204', :aggregate_failures do
           preferred_name = VAProfile::Models::PreferredName.new(text: 'Pat')
-          VCR.use_cassette('mobile/va_profile/post_preferred_name_success', erb: { login_uri: }) do
+          VCR.use_cassette('mobile/va_profile/post_preferred_name_success') do
             VCR.use_cassette('va_profile/demographics/demographics') do
               put('/mobile/v0/user/preferred_name', params: preferred_name.to_h, headers: iam_headers)
 
@@ -105,7 +103,7 @@
 
   describe 'unauthorized user' do
     before do
-      iam_sign_in(FactoryBot.build(:iam_user))
+      iam_sign_in(FactoryBot.build(:iam_user, :no_multifactor))
     end
 
     describe 'PUT /mobile/v0/profile/preferred_names' do

diff --git a/modules/mobile/spec/request/user_request_spec.rb b/modules/mobile/spec/request/user_request_spec.rb
@@ -12,8 +12,7 @@
 
   describe 'GET /mobile/v0/user' do
     before do
-      iam_sign_in
-      allow_any_instance_of(IAMUser).to receive(:idme_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
+      iam_sign_in(FactoryBot.build(:iam_user))
     end
 
     before(:all) do
@@ -318,8 +317,6 @@
               paymentHistory
               userProfileUpdate
               scheduleAppointments
-              preferredName
-              genderIdentity
             ]
           )
         end
@@ -352,8 +349,6 @@
               userProfileUpdate
               scheduleAppointments
               prescriptions
-              preferredName
-              genderIdentity
             ]
           )
         end
@@ -734,10 +729,9 @@
       end
     end
 
-    context 'no idme_uuid or logingov_uuid' do
+    context 'no idme logingov' do
       before do
-        allow_any_instance_of(IAMUser).to receive(:idme_uuid).and_return(nil)
-        allow_any_instance_of(IAMUser).to receive(:logingov_uuid).and_return(nil)
+        iam_sign_in(FactoryBot.build(:iam_user, :no_multifactor))
 
         VCR.use_cassette('payment_information/payment_information') do
           VCR.use_cassette('user/get_facilities') do
@@ -754,14 +748,12 @@
             appeals
             appointments
             claims
-            directDepositBenefits
             disabilityRating
             lettersAndDocuments
             militaryServiceHistory
             paymentHistory
             userProfileUpdate
             scheduleAppointments
-            directDepositBenefitsUpdate
           ]
         )
       end

diff --git a/modules/mobile/spec/request/v1/user_request_spec.rb b/modules/mobile/spec/request/v1/user_request_spec.rb
@@ -10,7 +10,6 @@
 
   describe 'GET /mobile/v1/user' do
     before do
-      allow_any_instance_of(IAMUser).to receive(:idme_uuid).and_return('b2fab2b5-6af0-45e1-a9e2-394347af91ef')
       iam_sign_in(build(:iam_user))
     end
 
@@ -294,8 +293,6 @@
               paymentHistory
               userProfileUpdate
               scheduleAppointments
-              preferredName
-              genderIdentity
             ]
           )
         end
@@ -328,8 +325,6 @@
               userProfileUpdate
               scheduleAppointments
               prescriptions
-              preferredName
-              genderIdentity
             ]
           )
         end
@@ -690,8 +685,7 @@
 
     context 'no idme_uuid or logingov_uuid' do
       before do
-        allow_any_instance_of(IAMUser).to receive(:idme_uuid).and_return(nil)
-        allow_any_instance_of(IAMUser).to receive(:logingov_uuid).and_return(nil)
+        iam_sign_in(FactoryBot.build(:iam_user, :no_multifactor))
 
         VCR.use_cassette('payment_information/payment_information') do
           VCR.use_cassette('user/get_facilities') do
@@ -708,14 +702,12 @@
             appeals
             appointments
             claims
-            directDepositBenefits
             disabilityRating
             lettersAndDocuments
             militaryServiceHistory
             paymentHistory
             userProfileUpdate
             scheduleAppointments
-            directDepositBenefitsUpdate
           ]
         )
       end

diff --git a/modules/mobile/spec/support/vcr_cassettes/va_profile/demographics/demographics.yml b/modules/mobile/spec/support/vcr_cassettes/va_profile/demographics/demographics.yml
diff --git a/spec/requests/swagger_spec.rb b/spec/requests/swagger_spec.rb
@@ -3081,6 +3081,11 @@
 
     describe 'when MVI returns an unexpected response body' do
       it 'supports returning a custom 502 response' do
+        allow_any_instance_of(UserIdentity).to receive(:sign_in).and_return({
+                                                                              service_name: 'oauth_IDME',
+                                                                              auth_broker: 'IDME'
+                                                                            })
+
         allow_any_instance_of(MPI::Models::MviProfile).to receive(:gender).and_return(nil)
         allow_any_instance_of(MPI::Models::MviProfile).to receive(:birth_date).and_return(nil)
 

diff --git a/spec/support/vcr_cassettes/mobile/va_profile/post_gender_identity_success.yml b/spec/support/vcr_cassettes/mobile/va_profile/post_gender_identity_success.yml
diff --git a/spec/support/vcr_cassettes/mobile/va_profile/post_preferred_name_success.yml b/spec/support/vcr_cassettes/mobile/va_profile/post_preferred_name_success.yml