MAT-6916: Add administrative constraints on endpoint. Add tests

MeasureAuthoringTool · Mar 29, 2024 · f724012 · f724012
1 parent 9f84208
commit f724012
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 13 deletions.
diff --git a/src/main/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyController.java b/src/main/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyController.java
@@ -8,12 +8,15 @@
 import gov.cms.madie.terminology.models.UmlsUser;
 import gov.cms.madie.terminology.service.FhirTerminologyService;
 import gov.cms.madie.terminology.service.VsacService;
+import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.prepost.PreAuthorize;
 
 import java.security.Principal;
 import java.util.List;
@@ -63,7 +66,12 @@ public ResponseEntity<List<QdmValueSet>> getValueSetsExpansions(
   }
 
   @GetMapping(path = "/update-code-systems", produces = MediaType.APPLICATION_JSON_VALUE)
-  public ResponseEntity<List<CodeSystem>> retrieveAndUpdateCodeSystems(Principal principal) {
+  @PreAuthorize("#request.getHeader('api-key') == #apiKey")
+  public ResponseEntity<List<CodeSystem>> retrieveAndUpdateCodeSystems(
+          Principal principal,
+          HttpServletRequest request,
+          @Value("${admin-api-key}") String apiKey,
+          @RequestHeader("Authorization") String accessToken) {
     final String username = principal.getName();
     Optional<UmlsUser> umlsUser = vsacService.findByHarpId(username);
 

diff --git a/src/test/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyControllerMvcTest.java b/src/test/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyControllerMvcTest.java
@@ -1,8 +1,10 @@
 package gov.cms.madie.terminology.controller;
 
 import gov.cms.madie.models.measure.ManifestExpansion;
+import gov.cms.madie.models.measure.Measure;
 import gov.cms.madie.terminology.dto.QdmValueSet;
 import gov.cms.madie.terminology.dto.ValueSetsSearchCriteria;
+import gov.cms.madie.terminology.models.CodeSystem;
 import gov.cms.madie.terminology.models.UmlsUser;
 import gov.cms.madie.terminology.service.FhirTerminologyService;
 import gov.cms.madie.terminology.service.VsacService;
@@ -23,12 +25,14 @@
 
 import static org.hamcrest.CoreMatchers.*;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.*;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @WebMvcTest(VsacFhirTerminologyController.class)
@@ -48,6 +52,8 @@ class VsacFhirTerminologyControllerMvcTest {
   private final List<QdmValueSet> mockQdmValueSets = new ArrayList<>();
   private static final String TEST_USER = "test.user";
   private static final String TEST_API_KEY = "te$tKey";
+  private static final String ADMIN_TEST_API_KEY_HEADER = "api-key";
+  private static final String ADMIN_TEST_API_KEY_HEADER_VALUE = "0a51991c";
 
   @BeforeEach
   public void setup() {
@@ -190,4 +196,35 @@ void testUnAuthorizedUmlsUserWhileGetValueSetsExpansionsMvc() throws Exception {
             .andReturn();
     assertThat(result.getResponse().getStatus(), is(equalTo(401)));
   }
+  @Test
+  public void testRetrieveAndUpdateCodeSystemsSuccessfully() throws Exception {
+    Principal principal = mock(Principal.class);
+    when(principal.getName()).thenReturn(TEST_USER);
+    when(vsacService.findByHarpId(anyString())).thenReturn(Optional.empty());
+    MvcResult result =
+            mockMvc
+            .perform(
+                    MockMvcRequestBuilders.get("/terminology/update-code-systems")
+                            .with(csrf())
+                            .with(user(TEST_USR))
+                            .header(ADMIN_TEST_API_KEY_HEADER, ADMIN_TEST_API_KEY_HEADER_VALUE)
+                            .header("Authorization", "test-okta"))
+            .andExpect(status().isUnauthorized())
+            .andReturn();
+    assertThat(result.getResponse().getStatus(), is(equalTo(401)));
+  }
+  @Test
+  public void testRetrieveAndUpdateCodeSystemsUnauthorized() throws Exception {
+    Principal principal = mock(Principal.class);
+    when(principal.getName()).thenReturn(TEST_USER);
+    when(vsacService.findByHarpId(anyString())).thenReturn(Optional.ofNullable(umlsUser));
+    mockMvc
+            .perform(
+                    MockMvcRequestBuilders.get("/terminology/update-code-systems")
+                            .with(csrf())
+                            .with(user(TEST_USR))
+                            .header(ADMIN_TEST_API_KEY_HEADER, ADMIN_TEST_API_KEY_HEADER_VALUE)
+                            .header("Authorization", "test-okta"))
+            .andExpect(status().isOk());
+  }
 }
diff --git a/src/test/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyControllerTest.java b/src/test/java/gov/cms/madie/terminology/controller/VsacFhirTerminologyControllerTest.java
@@ -6,6 +6,7 @@
 import gov.cms.madie.terminology.exceptions.VsacUnauthorizedException;
 import gov.cms.madie.terminology.models.CodeSystem;
 import gov.cms.madie.terminology.models.UmlsUser;
+import gov.cms.madie.terminology.repositories.CodeSystemRepository;
 import gov.cms.madie.terminology.service.FhirTerminologyService;
 import gov.cms.madie.terminology.service.VsacService;
 import org.junit.jupiter.api.BeforeEach;
@@ -16,6 +17,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.mock.web.MockHttpServletRequest;
 
 import java.security.Principal;
 import java.time.Instant;
@@ -26,26 +28,27 @@
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
 
 @ExtendWith(MockitoExtension.class)
 class VsacFhirTerminologyControllerTest {
+  private CodeSystemRepository codeSystemRepository;
 
   @Mock private VsacService vsacService;
-  @Mock private FhirTerminologyService fhirTerminologyService;
+  @Mock FhirTerminologyService fhirTerminologyService;
 
   @InjectMocks private VsacFhirTerminologyController vsacFhirTerminologyController;
   private UmlsUser umlsUser;
   private static final String TEST_USER = "test.user";
-
+  private static final String ADMIN_TEST_API_KEY_HEADER = "api-key";
+  private static final String ADMIN_TEST_API_KEY_HEADER_VALUE = "0a51991c";
   private static final String TEST_HARP_ID = "te$tHarpId";
   private static final String TEST_API_KEY = "te$tKey";
-
+  MockHttpServletRequest request;
   private final List<ManifestExpansion> mockManifests = new ArrayList<>();
-
   private final List<QdmValueSet> mockQdmValueSets = new ArrayList<>();
 
+
   @BeforeEach
   public void setUp() {
     umlsUser = UmlsUser.builder().apiKey(TEST_API_KEY).harpId(TEST_HARP_ID).build();
@@ -66,6 +69,7 @@ public void setUp() {
             .version("20240101")
             .displayName("test-value-set-display-name")
             .build());
+    request = new MockHttpServletRequest();
   }
 
   @Test
@@ -122,15 +126,13 @@ void retrieveAndUpdateCodeSystemsSuccessfully() {
     Principal principal = mock(Principal.class);
     when(principal.getName()).thenReturn(TEST_USER);
     when(vsacService.findByHarpId(anyString())).thenReturn(Optional.ofNullable(umlsUser));
-
     when(fhirTerminologyService.retrieveAllCodeSystems(any())).thenReturn(mockCodeSystemsPage);
 
     ResponseEntity<List<CodeSystem>> response =
-            vsacFhirTerminologyController.retrieveAndUpdateCodeSystems(principal);
+            vsacFhirTerminologyController.retrieveAndUpdateCodeSystems(principal, request, TEST_API_KEY, TEST_USER);
     assertEquals(response.getStatusCode(), HttpStatus.OK);
     assertEquals(response.getBody(), mockCodeSystemsPage);
   }
-
   @Test
   void testUnAuthorizedUmlsUserWhileFetchingValueSetsExpansions() {
     Principal principal = mock(Principal.class);
@@ -149,6 +151,6 @@ void testUnAuthorizedUmlsUserWhileretrievingAndUpdatingCodeSystems() {
             .thenReturn(Optional.ofNullable(UmlsUser.builder().build()));
     assertThrows(
             VsacUnauthorizedException.class,
-            () -> vsacFhirTerminologyController.retrieveAndUpdateCodeSystems(principal));
+            () -> vsacFhirTerminologyController.retrieveAndUpdateCodeSystems(principal, request, TEST_API_KEY, TEST_USER));
   }
 }
diff --git a/src/test/java/gov/cms/madie/terminology/service/FhirTerminologyServiceTest.java b/src/test/java/gov/cms/madie/terminology/service/FhirTerminologyServiceTest.java
@@ -1,7 +1,6 @@
 package gov.cms.madie.terminology.service;
 
 import ca.uhn.fhir.context.FhirContext;
-import ca.uhn.fhir.parser.IParser;
 import com.okta.commons.lang.Collections;
 import gov.cms.madie.models.mapping.CodeSystemEntry;
 import gov.cms.madie.models.measure.ManifestExpansion;
@@ -22,7 +21,6 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.Mockito;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.times;