MHV Login/Logout facility Integration (#452)

* adding the logout logging facility for mhv as an integration, specs to follow * remove unused redis_store change * only do it mhv_correlation_id exists * allow specs to pass but still need to add specs to test service * get test coverage to 100% * addressing comments from @ayal * oops * fixing linter issues
department-of-veterans-affairs · Nov 6, 2016 · 4e9b05a · 4e9b05a
1 parent b363e14
commit 4e9b05a
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 1 deletion.
diff --git a/app/controllers/concerns/mhv_controller_concerns.rb b/app/controllers/concerns/mhv_controller_concerns.rb
@@ -12,6 +12,7 @@ def authorize
   end
 
   def authenticate_client
+    MHVLoggingService.login(current_user)
     client.authenticate if client.session.expired?
   end
 end
diff --git a/app/controllers/v0/sessions_controller.rb b/app/controllers/v0/sessions_controller.rb
@@ -117,6 +117,7 @@ def handle_completed_slo
         logger.error 'The SAML Logout Response is invalid'
         redirect_to SAML_CONFIG['logout_relay'] + '?success=false'
       elsif logout_response.success?
+        MHVLoggingService.logout(current_user)
         delete_session(params[:RelayState])
         redirect_to SAML_CONFIG['logout_relay'] + '?success=true'
       end

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -35,6 +35,10 @@ class User < Common::RedisStore
   # mvi 'golden record' data
   attribute :mvi
 
+  # mhv_last_signed_in used to determine whether we need to notify MHV audit logging
+  # This is set to Time.now when any MHV session is first created, and nulled, when logout
+  attribute :mhv_last_signed_in, Common::UTCTime
+
   validates :uuid, presence: true
   validates :email, presence: true
   validates :loa, presence: true

diff --git a/app/services/mhv_logging_service.rb b/app/services/mhv_logging_service.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+require 'mhv_logging/client'
+class MHVLoggingService
+  def self.login(current_user)
+    # If login has already been submitted, do nothing
+    return false if current_user.mhv_correlation_id.nil? || current_user.mhv_last_signed_in
+    # Otherwise send the login audit trail
+    MHVLogging::Client.new(session: { user_id: current_user.mhv_correlation_id })
+                      .authenticate
+                      .auditlogin
+    # Update the user object with the time of login
+    current_user.mhv_last_signed_in = Time.current
+    current_user.save
+    true
+  end
+
+  def self.logout(current_user)
+    # If login has never been sent, no need to send logout
+    return false unless current_user.mhv_correlation_id.nil? || current_user.mhv_last_signed_in
+    # Otherwise send the logout audit trail
+    MHVLogging::Client.new(session: { user_id: current_user.mhv_correlation_id })
+                      .authenticate
+                      .auditlogout
+    # Update the user object with nil to indicate not logged in
+    current_user.mhv_last_signed_in = nil
+    current_user.save
+    true
+  end
+end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
@@ -44,7 +44,8 @@
   factory :mhv_user, class: 'User' do
     edipi '1234'
     icn '1000123456V123456'
-    mhv_id '123456'
+    mhv_id ENV['MHV_USER_ID']
+    mhv_last_signed_in Time.current
     participant_id '12345678'
     loa do
       {
@@ -67,6 +68,10 @@
         active_status: 'active'
       }
     end
+
+    trait :mhv_not_logged_in do
+      mhv_last_signed_in nil
+    end
   end
 
   factory :loa1_user, class: 'User' do

diff --git a/spec/services/mhv_logging_service_spec.rb b/spec/services/mhv_logging_service_spec.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+require 'rails_helper'
+require 'support/rx_client_helpers'
+
+RSpec.describe MHVLoggingService do
+  subject(:login_service) { described_class.login(mhv_user) }
+  subject(:logout_service) { described_class.logout(mhv_user) }
+
+  let(:authenticated_client) do
+    MHVLogging::Client.new(session: { user_id: mhv_user.mhv_correlation_id,
+                                      expires_at: Time.current + 60 * 60,
+                                      token: '<SESSION_TOKEN>' })
+  end
+
+  before(:each) { allow(MHVLogging::Client).to receive(:new).and_return(authenticated_client) }
+
+  context 'with current_user not having logged in to MHV' do
+    let(:mhv_user) { build(:mhv_user, :mhv_not_logged_in) }
+
+    it 'posts audit log when not logged in' do
+      VCR.use_cassette('mhv_logging_client/audits/submits_an_audit_log_for_signing_in') do
+        expect(mhv_user.mhv_last_signed_in).to be_nil
+        expect(login_service).to eq(true)
+        expect(mhv_user.mhv_last_signed_in).to be_a(Time)
+      end
+    end
+
+    it 'does not logout when not logged in' do
+      expect(mhv_user.mhv_last_signed_in).to be_nil
+      expect(logout_service).to eq(false)
+      expect(mhv_user.mhv_last_signed_in).to be_nil
+    end
+  end
+
+  context 'with current_user having already logged in to MHV' do
+    let(:mhv_user) { build(:mhv_user) }
+
+    it 'posts audit log when not logged in' do
+      expect(mhv_user.mhv_last_signed_in).to be_a(Time)
+      expect(login_service).to eq(false)
+      expect(mhv_user.mhv_last_signed_in).to be_a(Time)
+    end
+
+    it 'does not logout when not logged in' do
+      VCR.use_cassette('mhv_logging_client/audits/submits_an_audit_log_for_signing_out') do
+        expect(mhv_user.mhv_last_signed_in).to be_a(Time)
+        expect(logout_service).to eq(true)
+        expect(mhv_user.mhv_last_signed_in).to be_nil
+      end
+    end
+  end
+end