Merge pull request #5687 from dfe-analytical-services/EES-5913-hotfix-fix-preview-tokens

EES-5913 - fix issues with using Preview Tokens on draft DataSets

Author: duncan-at-hiveit

src/GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Tests/Controllers/DataSetsControllerTests.cs

@@ -520,6 +520,7 @@ await TestApp.AddTestData<PublicDataDbContext>(context =>
             Assert.Equal(dataSet.Summary, result.Summary);
             Assert.Equal(dataSet.Status, result.Status);
             Assert.Equal(dataSet.SupersedingDataSetId, result.SupersedingDataSetId);
+            Assert.NotNull(result.LatestVersion);
             Assert.Equal(dataSetVersion.PublicVersion, result.LatestVersion.Version);
             Assert.Equal(
                 dataSetVersion.Published.TruncateNanoseconds(),

src/GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Tests/Controllers/PublicationsControllerTests.cs

@@ -22,7 +22,7 @@ public class QueryDataSetVersionAuthorizationHandlerTests
     [Theory]
     [MemberData(nameof(DataSetVersionStatusQueryTheoryData.AvailableStatuses),
         MemberType = typeof(DataSetVersionStatusQueryTheoryData))]
-    public void Success(DataSetVersionStatus status)
+    public async Task Success(DataSetVersionStatus status)
     {
         DataSetVersion dataSetVersion = _dataFixture
             .DefaultDataSetVersion()
@@ -31,15 +31,15 @@ public void Success(DataSetVersionStatus status)
         var handler = BuildHandler();
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.True(context.HasSucceeded);
     }
 
     [Theory]
     [MemberData(nameof(DataSetVersionStatusQueryTheoryData.UnavailableStatuses),
         MemberType = typeof(DataSetVersionStatusQueryTheoryData))]
-    public void Failure(DataSetVersionStatus status)
+    public async Task Failure(DataSetVersionStatus status)
     {
         DataSetVersion dataSetVersion = _dataFixture
             .DefaultDataSetVersion()
@@ -48,15 +48,15 @@ public void Failure(DataSetVersionStatus status)
         var handler = BuildHandler();
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.False(context.HasSucceeded);
     }
 
     [Theory]
     [MemberData(nameof(DataSetVersionStatusQueryTheoryData.AvailableStatusesIncludingDraft),
         MemberType = typeof(DataSetVersionStatusQueryTheoryData))]
-    public void Success_PreviewTokenIsActive(DataSetVersionStatus status)
+    public async Task Success_PreviewTokenIsActive(DataSetVersionStatus status)
     {
         DataSetVersion dataSetVersion = _dataFixture
             .DefaultDataSetVersion()
@@ -79,13 +79,13 @@ public void Success_PreviewTokenIsActive(DataSetVersionStatus status)
 
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.True(context.HasSucceeded);
     }
 
     [Fact]
-    public void Failure_PreviewTokenIsExpired()
+    public async Task Failure_PreviewTokenIsExpired()
     {
         DataSetVersion dataSetVersion = _dataFixture
             .DefaultDataSetVersion()
@@ -108,13 +108,13 @@ public void Failure_PreviewTokenIsExpired()
 
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.False(context.HasSucceeded);
     }
 
     [Fact]
-    public void Failure_PreviewTokenIsForWrongDataSetVersion()
+    public async Task Failure_PreviewTokenIsForWrongDataSetVersion()
     {
         var (dataSetVersion1, dataSetVersion2) = _dataFixture
             .DefaultDataSetVersion()
@@ -139,15 +139,15 @@ public void Failure_PreviewTokenIsForWrongDataSetVersion()
 
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion1);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.False(context.HasSucceeded);
     }
 
     [Theory]
     [MemberData(nameof(DataSetVersionStatusQueryTheoryData.UnavailableStatusesExceptDraft),
         MemberType = typeof(DataSetVersionStatusQueryTheoryData))]
-    public void Failure_PreviewTokenIsForUnavailableDataSetVersion(DataSetVersionStatus status)
+    public async Task Failure_PreviewTokenIsForUnavailableDataSetVersion(DataSetVersionStatus status)
     {
         DataSetVersion dataSetVersion = _dataFixture
             .DefaultDataSetVersion()
@@ -170,7 +170,7 @@ public void Failure_PreviewTokenIsForUnavailableDataSetVersion(DataSetVersionSta
 
         var context = CreateAnonymousAuthContext<QueryDataSetVersionRequirement, DataSetVersion>(dataSetVersion);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.False(context.HasSucceeded);
     }

src/GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Tests/Security/AuthorizationHandlers/QueryDataSetVersionAuthorizationHandlerTests.cs

@@ -1,8 +1,18 @@
+using GovUk.Education.ExploreEducationStatistics.Common.Extensions;
 using GovUk.Education.ExploreEducationStatistics.Common.Tests.Fixtures;
+using GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Constants;
 using GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Security.AuthorizationHandlers;
+using GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Services;
+using GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Services.Security;
 using GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Tests.TheoryData;
 using GovUk.Education.ExploreEducationStatistics.Public.Data.Model;
+using GovUk.Education.ExploreEducationStatistics.Public.Data.Model.Database;
 using GovUk.Education.ExploreEducationStatistics.Public.Data.Model.Tests.Fixtures;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Primitives;
+using Moq;
+using Moq.EntityFrameworkCore;
 using static GovUk.Education.ExploreEducationStatistics.Common.Security.AuthorizationHandlerContextFactory;
 
 namespace GovUk.Education.ExploreEducationStatistics.Public.Data.Api.Tests.Security.AuthorizationHandlers;
@@ -14,7 +24,7 @@ public class ViewDataSetAuthorizationHandlerTests
     [Theory]
     [MemberData(nameof(DataSetStatusTheoryData.AvailableStatuses),
         MemberType = typeof(DataSetStatusTheoryData))]
-    public void Success(DataSetStatus status)
+    public async Task DataSetHasAvailableStatus_Success(DataSetStatus status)
     {
         DataSet dataSet = _dataFixture
             .DefaultDataSet()
@@ -23,15 +33,15 @@ public void Success(DataSetStatus status)
         var handler = BuildHandler();
         var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.True(context.HasSucceeded);
     }
 
     [Theory]
     [MemberData(nameof(DataSetStatusTheoryData.UnavailableStatuses),
         MemberType = typeof(DataSetStatusTheoryData))]
-    public void Failure(DataSetStatus status)
+    public async Task DataSetHasUnavailableStatus_Failure(DataSetStatus status)
     {
         DataSet dataSet = _dataFixture
             .DefaultDataSet()
@@ -40,13 +50,219 @@ public void Failure(DataSetStatus status)
         var handler = BuildHandler();
         var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
 
-        handler.HandleAsync(context);
+        await handler.HandleAsync(context);
 
         Assert.False(context.HasSucceeded);
     }
+    
+    [Theory]
+    [MemberData(nameof(DataSetStatusTheoryData.AllStatuses),
+        MemberType = typeof(DataSetStatusTheoryData))]
+    public async Task PreviewTokenForDraftDataSetVersionActive_Success(DataSetStatus status)
+    {
+        DataSet dataSet = _dataFixture
+            .DefaultDataSet()
+            .WithStatus(status);
+
+        DataSetVersion dataSetVersion = _dataFixture
+            .DefaultDataSetVersion()
+            .WithStatus(DataSetVersionStatus.Draft)
+            .WithPreviewTokens(() => [_dataFixture.DefaultPreviewToken()])
+            .FinishWith(dsv => dataSet.LatestDraftVersionId = dsv.Id);
+
+        var publicDataDbContext = new Mock<PublicDataDbContext>();
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSets).ReturnsDbSet([dataSet]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSetVersions).ReturnsDbSet([dataSetVersion]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.PreviewTokens).ReturnsDbSet(dataSetVersion.PreviewTokens);
+
+        var handler = BuildHandler(
+            publicDataDbContext: publicDataDbContext.Object,
+            requestHeaders:
+            [
+                PreviewTokenRequestHeader(dataSetVersion.PreviewTokens[0])
+            ]);
+        var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
+
+        await handler.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+    
+    /// <summary>
+    /// Despite the Preview Token being used is expired, the DataSet's status itself is
+    /// available to the public, and so the auth succeeds.
+    /// </summary>
+    [Theory]
+    [MemberData(nameof(DataSetStatusTheoryData.AvailableStatuses),
+        MemberType = typeof(DataSetStatusTheoryData))]
+    public async Task PreviewTokenForDraftDataSetVersionExpired_DataSetStatusAvailable_Success(DataSetStatus status)
+    {
+        DataSet dataSet = _dataFixture
+            .DefaultDataSet()
+            .WithStatus(status);
+
+        DataSetVersion dataSetVersion = _dataFixture
+            .DefaultDataSetVersion()
+            .WithStatus(DataSetVersionStatus.Draft)
+            .WithPreviewTokens(() => [_dataFixture.DefaultPreviewToken(expired: true)])
+            .FinishWith(dsv => dataSet.LatestDraftVersionId = dsv.Id);
+
+        var publicDataDbContext = new Mock<PublicDataDbContext>();
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSets).ReturnsDbSet([dataSet]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSetVersions).ReturnsDbSet([dataSetVersion]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.PreviewTokens).ReturnsDbSet(dataSetVersion.PreviewTokens);
+
+        var handler = BuildHandler(
+            publicDataDbContext: publicDataDbContext.Object,
+            requestHeaders:
+            [
+                PreviewTokenRequestHeader(dataSetVersion.PreviewTokens[0])
+            ]);
+        var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
+
+        await handler.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+    
+    /// <summary>
+    /// The Preview Token being used is expired and the DataSet's status is
+    /// unavailable to the public, and so the auth fails.
+    /// </summary>
+    [Theory]
+    [MemberData(nameof(DataSetStatusTheoryData.UnavailableStatuses),
+        MemberType = typeof(DataSetStatusTheoryData))]
+    public async Task PreviewTokenForDraftDataSetVersionExpired_DataSetStatusUnavailable_Failure(DataSetStatus status)
+    {
+        DataSet dataSet = _dataFixture
+            .DefaultDataSet()
+            .WithStatus(status);
+
+        DataSetVersion dataSetVersion = _dataFixture
+            .DefaultDataSetVersion()
+            .WithStatus(DataSetVersionStatus.Draft)
+            .WithPreviewTokens(() => [_dataFixture.DefaultPreviewToken(expired: true)])
+            .FinishWith(dsv => dataSet.LatestDraftVersionId = dsv.Id);
+
+        var publicDataDbContext = new Mock<PublicDataDbContext>();
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSets).ReturnsDbSet([dataSet]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSetVersions).ReturnsDbSet([dataSetVersion]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.PreviewTokens).ReturnsDbSet(dataSetVersion.PreviewTokens);
+
+        var handler = BuildHandler(
+            publicDataDbContext: publicDataDbContext.Object,
+            requestHeaders:
+            [
+                PreviewTokenRequestHeader(dataSetVersion.PreviewTokens[0])
+            ]);
+        var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
+
+        await handler.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+    
+    /// <summary>
+    /// Despite the Preview Token being used is for a non-draft DataSetVersion, the DataSet's
+    /// status itself is available to the public, and so the auth succeeds.
+    /// </summary>
+    [Theory]
+    [MemberData(nameof(DataSetStatusTheoryData.AvailableStatuses),
+        MemberType = typeof(DataSetStatusTheoryData))]
+    public async Task PreviewTokenActiveButForLiveDataSetVersion_DataSetStatusAvailable_Success(DataSetStatus status)
+    {
+        DataSet dataSet = _dataFixture
+            .DefaultDataSet()
+            .WithStatus(status);
+
+        DataSetVersion dataSetVersion = _dataFixture
+            .DefaultDataSetVersion()
+            .WithStatus(DataSetVersionStatus.Published)
+            .WithPreviewTokens(() => [_dataFixture.DefaultPreviewToken()])
+            .FinishWith(dsv => dataSet.LatestLiveVersionId = dsv.Id);
+
+        var publicDataDbContext = new Mock<PublicDataDbContext>();
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSets).ReturnsDbSet([dataSet]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSetVersions).ReturnsDbSet([dataSetVersion]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.PreviewTokens).ReturnsDbSet(dataSetVersion.PreviewTokens);
+
+        var handler = BuildHandler(
+            publicDataDbContext: publicDataDbContext.Object,
+            requestHeaders:
+            [
+                PreviewTokenRequestHeader(dataSetVersion.PreviewTokens[0])
+            ]);
+        var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
+
+        await handler.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+    
+    /// <summary>
+    /// The Preview Token being used is for a non-draft DataSetVersion and the DataSet's
+    /// status itself is unavailable to the public, and so the auth false.
+    /// </summary>
+    [Theory]
+    [MemberData(nameof(DataSetStatusTheoryData.UnavailableStatuses),
+        MemberType = typeof(DataSetStatusTheoryData))]
+    public async Task PreviewTokenActiveButForLiveDataSetVersion_DataSetStatusUnavailable_Failure(DataSetStatus status)
+    {
+        DataSet dataSet = _dataFixture
+            .DefaultDataSet()
+            .WithStatus(status);
+
+        DataSetVersion dataSetVersion = _dataFixture
+            .DefaultDataSetVersion()
+            .WithStatus(DataSetVersionStatus.Published)
+            .WithPreviewTokens(() => [_dataFixture.DefaultPreviewToken()])
+            .FinishWith(dsv => dataSet.LatestLiveVersionId = dsv.Id);
+
+        var publicDataDbContext = new Mock<PublicDataDbContext>();
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSets).ReturnsDbSet([dataSet]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.DataSetVersions).ReturnsDbSet([dataSetVersion]);
+        publicDataDbContext.SetupGet(dbContext => dbContext.PreviewTokens).ReturnsDbSet(dataSetVersion.PreviewTokens);
+
+        var handler = BuildHandler(
+            publicDataDbContext: publicDataDbContext.Object,
+            requestHeaders:
+            [
+                PreviewTokenRequestHeader(dataSetVersion.PreviewTokens[0])
+            ]);
+        var context = CreateAnonymousAuthContext<ViewDataSetRequirement, DataSet>(dataSet);
+
+        await handler.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    private static ViewDataSetAuthorizationHandler BuildHandler(
+        PublicDataDbContext? publicDataDbContext = null,
+        IList<KeyValuePair<string, StringValues>>? requestHeaders = null)
+    {
+        var dbContext = publicDataDbContext ?? Mock.Of<PublicDataDbContext>();
+        
+        var httpContextAccessor = new HttpContextAccessor
+        {
+            HttpContext = new DefaultHttpContext()
+        };
+        
+        var headers = httpContextAccessor.HttpContext.Request.Headers;
+        requestHeaders?.ForEach(header => 
+            headers.Append(header.Key, header.Value));
+
+        var previewTokenService = new PreviewTokenService(dbContext);
+
+        var authorizationHandlerService = new AuthorizationHandlerService(
+            httpContextAccessor: httpContextAccessor,
+            environment: Mock.Of<IWebHostEnvironment>(),
+            previewTokenService);
+        
+        return new ViewDataSetAuthorizationHandler(authorizationHandlerService);
+    }
 
-    private static ViewDataSetAuthorizationHandler BuildHandler()
+    private static KeyValuePair<string, StringValues> PreviewTokenRequestHeader(PreviewToken previewToken)
     {
-        return new ViewDataSetAuthorizationHandler();
+        return new KeyValuePair<string, StringValues>(RequestHeaderNames.PreviewToken, previewToken.Id.ToString());
     }
 }