department-of-veterans-affairs · bramleyjl · Nov 26, 2024 · Nov 26, 2024 · Dec 2, 2024 · Dec 11, 2024
@@ -11,7 +11,7 @@ def token
       result = MAP::SecurityToken::Service.new.token(application: params[:application].to_sym, icn:, cache: false)
 
       render json: result, status: :ok
-    rescue Common::Client::Errors::ClientError, Common::Exceptions::GatewayTimeout
+    rescue Common::Client::Errors::ClientError, Common::Exceptions::GatewayTimeout, JWT::VerificationError
       render json: sts_client_error, status: :bad_gateway
     rescue MAP::SecurityToken::Errors::ApplicationMismatchError
       render json: application_mismatch_error, status: :bad_request

@@ -33,6 +33,7 @@ map_services:
   oauth_url: https://veteran.apps-staging.va.gov
   client_cert_path: spec/fixtures/map/oauth.crt
   client_key_path: spec/fixtures/map/oauth.key
+  provider_cert_path: spec/fixtures/map/provider.crt
   sign_up_service_url: https://cerner.apps-staging.va.gov
   sign_up_service_provisioning_api_key: abcd1234
   secure_token_service:

@@ -34,6 +34,10 @@ def client_cert_path
         Settings.map_services.client_cert_path
       end
 
+      def provider_cert_path
+        Settings.map_services.provider_cert_path
+      end
+
       def service_name
         'map_security_token_service'
       end
@@ -78,6 +82,10 @@ def client_assertion_certificate
         OpenSSL::X509::Certificate.new(File.read(client_cert_path))
       end
 
+      def provider_certificate
+        OpenSSL::X509::Certificate.new(File.read(provider_cert_path))
+      end
+
       def connection
         @connection ||= Faraday.new(
           base_path,

@@ -57,17 +57,32 @@ def parse_and_raise_error(e, icn, application)
 
       def parse_response(response, application, icn)
         response_body = response.body
+        access_token = validate_map_token(response_body['access_token'])
 
         {
-          access_token: response_body['access_token'],
+          access_token:,
           expiration: Time.zone.now + response_body['expires_in']
         }
+      rescue JWT::VerificationError => e
+        message = "#{config.logging_prefix} token failed, JWT verification error"
+        Rails.logger.error(message, application:, icn:)
+        raise e
       rescue => e
         message = "#{config.logging_prefix} token failed, response unknown"
         Rails.logger.error(message, application:, icn:)
         raise e, "#{message}, application: #{application}, icn: #{icn}"
       end
 
+      def validate_map_token(encoded_token)
+        # waiting for MAP RS512 certificate
+        # public_cert = config.provider_certificate
+        public_cert = OpenSSL::PKey::RSA.new(2048).public_key
+        JWT.decode(encoded_token, public_cert, true, algorithm: 'RS512')
+        # potentially add more validation here
+
+        access_token
+      end
+
       def client_id_from_application(application)
         case application
         when :chatbot

@@ -93,7 +93,25 @@
           end
         end
 
-        context 'when MAP STS client returns an access token',
+        context 'when MAP STS client returns a token with an invalid duration',
+                vcr: { cassette_name: 'map/security_token_service_200_response_invalid_token' } do
+          it 'responds with error details in response body' do
+            call_endpoint
+            expect(JSON.parse(response.body)).to eq(
+              {
+                'error' => 'server_error',
+                'error_description' => 'STS failed to return a valid token.'
+              }
+            )
+          end
+
+          it 'returns HTTP status bad_gateway' do
+            call_endpoint
+            expect(response).to have_http_status(:bad_gateway)
+          end
+        end
+
+        context 'when MAP STS client returns a valid access token',
                 vcr: { cassette_name: 'map/security_token_service_200_response' } do
           it 'responds with STS-issued token in response body' do
             call_endpoint