feat: split app-scopes endpoint into, status, login and app-scopes (#…

…14075)

Co-authored-by: William Thorenfeldt <48119543+wrt95@users.noreply.github.com>
Co-authored-by: Mirko Sekulic <misha.sekulic@gmail.com>

backend/src/Designer/Controllers/AnsattPortenController.cs

@@ -0,0 +1,45 @@
+using System.Threading.Tasks;
+using Altinn.Studio.Designer.Constants;
+using Altinn.Studio.Designer.Models.Dto;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.FeatureManagement.Mvc;
+
+namespace Altinn.Studio.Designer.Controllers;
+
+[FeatureGate(StudioFeatureFlags.AnsattPorten)]
+[Route("designer/api/[controller]")]
+[ApiController]
+public class AnsattPortenController : ControllerBase
+{
+    [Authorize(AnsattPortenConstants.AnsattportenAuthorizationPolicy)]
+    [HttpGet("login")]
+    public async Task<IActionResult> Login([FromQuery(Name = "redirect_to")] string redirectTo)
+    {
+        await Task.CompletedTask;
+        if (!Url.IsLocalUrl(redirectTo))
+        {
+            return Forbid();
+        }
+
+        return LocalRedirect(redirectTo);
+    }
+
+    [AllowAnonymous]
+    [HttpGet("auth-status")]
+    public async Task<IActionResult> AuthStatus()
+    {
+        await Task.CompletedTask;
+        var authenticateResult =
+            await HttpContext.AuthenticateAsync(AnsattPortenConstants.AnsattportenAuthenticationScheme);
+
+        var authStatus = new AuthStatus
+        {
+            IsLoggedIn = authenticateResult.Succeeded
+        };
+
+        return Ok(authStatus);
+    }
+
+}

backend/src/Designer/Controllers/AppScopesController.cs

@@ -18,7 +18,6 @@ namespace Altinn.Studio.Designer.Controllers;
 [ApiController]
 [FeatureGate(StudioFeatureFlags.AnsattPorten)]
 [Route("designer/api/{org}/{app:regex(^(?!datamodels$)[[a-z]][[a-z0-9-]]{{1,28}}[[a-z0-9]]$)}/app-scopes")]
-
 public class AppScopesController(IMaskinPortenHttpClient maskinPortenHttpClient,
     IAppScopesService appScopesService) : ControllerBase
 {
@@ -28,7 +27,7 @@ public async Task<IActionResult> GetScopesFromMaskinPorten(string org, string ap
     {
         var scopes = await maskinPortenHttpClient.GetAvailableScopes(cancellationToken);
 
-        var reponse = new AppScopesResponse()
+        var response = new AppScopesResponse()
         {
             Scopes = scopes.Select(x => new MaskinPortenScopeDto()
             {
@@ -37,10 +36,9 @@ public async Task<IActionResult> GetScopesFromMaskinPorten(string org, string ap
             }).ToHashSet()
         };
 
-        return Ok(reponse);
+        return Ok(response);
     }
 
-
     [Authorize]
     [HttpPut]
     public async Task UpsertAppScopes(string org, string app, [FromBody] AppScopesUpsertRequest appScopesUpsertRequest,
@@ -56,7 +54,6 @@ public async Task UpsertAppScopes(string org, string app, [FromBody] AppScopesUp
         await appScopesService.UpsertScopesAsync(AltinnRepoEditingContext.FromOrgRepoDeveloper(org, app, developer), scopes, cancellationToken);
     }
 
-
     [Authorize]
     [HttpGet]
     public async Task<IActionResult> GetAppScopes(string org, string app, CancellationToken cancellationToken)
@@ -74,5 +71,4 @@ public async Task<IActionResult> GetAppScopes(string org, string app, Cancellati
 
         return Ok(reponse);
     }
-
 }

backend/src/Designer/Infrastructure/AnsattPorten/AnsattPortenExtensions.cs

@@ -75,8 +75,7 @@ private static IServiceCollection AddAnsattPortenAuthentication(this IServiceCol
                     options.Events.OnRedirectToIdentityProvider = context =>
                     {
 
-                        if (!context.Request.Path.StartsWithSegments("/designer/api") ||
-                            !context.Request.Path.Value!.Contains("/maskinporten"))
+                        if (!context.Request.Path.StartsWithSegments("/designer/api/ansattporten/login"))
                         {
                             context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                             context.HandleResponse();

backend/src/Designer/Infrastructure/AuthenticationConfiguration.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Altinn.Studio.Designer.Configuration;
+using Altinn.Studio.Designer.Constants;
 using Altinn.Studio.Designer.Helpers;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
@@ -38,6 +39,7 @@ private static IServiceCollection AddGiteaOidcAuthentication(this IServiceCollec
             IConfiguration configuration, IWebHostEnvironment env)
         {
             var oidcSettings = FetchOidcSettingsFromConfiguration(configuration, env);
+            bool ansattPortenFeatureFlag = configuration.GetSection($"FeatureManagement:{StudioFeatureFlags.AnsattPorten}").Get<bool>();
 
             services
                 .AddAuthentication(options =>
@@ -49,7 +51,8 @@ private static IServiceCollection AddGiteaOidcAuthentication(this IServiceCollec
                 {
                     options.Cookie.HttpOnly = true;
                     options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-                    options.Cookie.SameSite = SameSiteMode.Strict;
+                    options.Cookie.SameSite = ansattPortenFeatureFlag ? SameSiteMode.Lax : SameSiteMode.Strict;
+
                     options.Cookie.IsEssential = true;
 
                     options.ExpireTimeSpan = TimeSpan.FromMinutes(oidcSettings.CookieExpiryTimeInMinutes);

backend/src/Designer/Models/Dto/AuthStatus.cs

@@ -0,0 +1,6 @@
+namespace Altinn.Studio.Designer.Models.Dto;
+
+public class AuthStatus
+{
+    public bool IsLoggedIn { get; set; }
+}

backend/tests/Designer.Tests/Controllers/AnsattPortenController/AuthStatusTests.cs

@@ -0,0 +1,82 @@
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Altinn.Studio.Designer.Models.Dto;
+using Designer.Tests.Controllers.AnsattPortenController.Base;
+using Designer.Tests.Controllers.ApiTests;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.AspNetCore.Mvc.Testing.Handlers;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Xunit;
+
+namespace Designer.Tests.Controllers.AnsattPortenController;
+
+public class AuthStatusTest : AnsattPortenControllerTestsBase<AuthStatusTest>, IClassFixture<WebApplicationFactory<Program>>
+{
+    private static string VersionPrefix => "/designer/api/ansattporten/auth-status";
+
+    // Setup unauthenticated http client
+    protected override HttpClient GetTestClient()
+    {
+        string configPath = GetConfigPath();
+        IConfiguration configuration = new ConfigurationBuilder()
+            .AddJsonFile(configPath, false, false)
+            .AddJsonStream(GenerateJsonOverrideConfig())
+            .AddEnvironmentVariables()
+            .Build();
+
+        return Factory.WithWebHostBuilder(builder =>
+        {
+            builder.UseConfiguration(configuration);
+            builder.ConfigureAppConfiguration((_, conf) =>
+            {
+                conf.AddJsonFile(configPath);
+                conf.AddJsonStream(GenerateJsonOverrideConfig());
+            });
+            builder.ConfigureTestServices(ConfigureTestServices);
+            builder.ConfigureServices(ConfigureTestServicesForSpecificTest);
+        }).CreateDefaultClient(new CookieContainerHandler());
+    }
+
+    public AuthStatusTest(WebApplicationFactory<Program> factory) : base(factory)
+    {
+    }
+
+    [Fact]
+    public async Task AuthStatus_Should_ReturnFalse_IfNotAuthenticated()
+    {
+        using var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, VersionPrefix);
+
+        using var response = await HttpClient.SendAsync(httpRequestMessage);
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+
+        AuthStatus authStatus = await response.Content.ReadAsAsync<AuthStatus>();
+        authStatus.IsLoggedIn.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task AuthStatus_Should_ReturnTrue_IfAuthenticated()
+    {
+        // Setup test authentication
+        ConfigureTestServicesForSpecificTest = services =>
+        {
+            services.AddAuthentication(defaultScheme: TestAuthConstants.TestAuthenticationScheme)
+                .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>(
+                    TestAuthConstants.TestAuthenticationScheme, options => { });
+            services.AddTransient<IAuthenticationSchemeProvider, TestSchemeProvider>();
+        };
+
+        using var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, VersionPrefix);
+
+        using var response = await HttpClient.SendAsync(httpRequestMessage);
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+
+        AuthStatus authStatus = await response.Content.ReadAsAsync<AuthStatus>();
+        authStatus.IsLoggedIn.Should().BeTrue();
+    }
+}

backend/tests/Designer.Tests/Controllers/AnsattPortenController/Base/AnsattPortenControllerTestsBase.cs

@@ -0,0 +1,24 @@
+using Altinn.Studio.Designer.Constants;
+using Designer.Tests.Controllers.ApiTests;
+using Microsoft.AspNetCore.Mvc.Testing;
+
+namespace Designer.Tests.Controllers.AnsattPortenController.Base;
+
+public class AnsattPortenControllerTestsBase<TControllerTest> : DesignerEndpointsTestsBase<TControllerTest> where TControllerTest : class
+{
+    public AnsattPortenControllerTestsBase(WebApplicationFactory<Program> factory) : base(factory)
+    {
+        JsonConfigOverrides.Add(
+            $$"""
+                 {
+                       "FeatureManagement": {
+                           "{{StudioFeatureFlags.AnsattPorten}}": true
+                       },
+                       "AnsattPortenLoginSettings": {
+                           "ClientId": "non-empty-for-testing",
+                           "ClientSecret": "non-empty-for-testing"
+                       }
+                 }
+              """);
+    }
+}

backend/tests/Designer.Tests/Controllers/AnsattPortenController/LoginTests.cs

@@ -0,0 +1,37 @@
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Altinn.Studio.Designer.Constants;
+using Designer.Tests.Controllers.AnsattPortenController.Base;
+using Designer.Tests.Controllers.ApiTests;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Xunit;
+
+namespace Designer.Tests.Controllers.AnsattPortenController;
+
+public class LoginTests : AnsattPortenControllerTestsBase<LoginTests>, IClassFixture<WebApplicationFactory<Program>>
+{
+    private static string VersionPrefix => "/designer/api/ansattporten/login";
+
+    public LoginTests(WebApplicationFactory<Program> factory) : base(factory)
+    {
+    }
+
+    [Theory]
+    [InlineData("/test", HttpStatusCode.Redirect)]
+    [InlineData("/", HttpStatusCode.Redirect)]
+    [InlineData("https://docs.altinn.studio/", HttpStatusCode.Forbidden)]
+    public async Task LoginShouldReturn_ExpectedCode(string redirectTo, HttpStatusCode expectedStatusCode)
+    {
+        using var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get
+            , $"{VersionPrefix}?redirect_to={redirectTo}");
+
+        using var response = await HttpClient.SendAsync(httpRequestMessage);
+        Assert.Equal(expectedStatusCode, response.StatusCode);
+
+        if (expectedStatusCode == HttpStatusCode.Redirect)
+        {
+            Assert.Equal(redirectTo, response.Headers.Location?.ToString());
+        }
+    }
+}

backend/tests/Designer.Tests/Controllers/ApiTests/ApiTestsBase.cs

@@ -44,7 +44,7 @@ protected HttpClient HttpClient
     /// </summary>
     protected abstract void ConfigureTestServices(IServiceCollection services);
 
-    protected Action<IServiceCollection> ConfigureTestForSpecificTest { get; set; } = delegate { };
+    protected Action<IServiceCollection> ConfigureTestServicesForSpecificTest { get; set; } = delegate { };
 
     /// <summary>
     /// Location of the assembly of the executing unit test.
@@ -97,7 +97,7 @@ protected virtual HttpClient GetTestClient()
                         TestAuthConstants.TestAuthenticationScheme, options => { });
                 services.AddTransient<IAuthenticationSchemeProvider, TestSchemeProvider>();
             });
-            builder.ConfigureServices(ConfigureTestForSpecificTest);
+            builder.ConfigureServices(ConfigureTestServicesForSpecificTest);
         }).CreateDefaultClient(new ApiTestsAuthAndCookieDelegatingHandler(), new CookieContainerHandler());
     }
 
@@ -152,7 +152,7 @@ private void InitializeJsonConfigOverrides()
     }
 
 
-    private Stream GenerateJsonOverrideConfig()
+    protected Stream GenerateJsonOverrideConfig()
     {
         var overrideJson = Newtonsoft.Json.Linq.JObject.Parse(JsonConfigOverrides.First());
         if (JsonConfigOverrides.Count > 1)

backend/tests/Designer.Tests/Controllers/AppScopesController/Base/AppScopesControllerTestsBase.cs

@@ -1,3 +1,4 @@
+using Altinn.Studio.Designer.Constants;
 using Designer.Tests.Controllers.ApiTests;
 using Designer.Tests.Fixtures;
 using Microsoft.AspNetCore.Mvc.Testing;
@@ -9,16 +10,17 @@ public class AppScopesControllerTestsBase<TControllerTest> : DbDesignerEndpoints
 {
     public AppScopesControllerTestsBase(WebApplicationFactory<Program> factory, DesignerDbFixture designerDbFixture) : base(factory, designerDbFixture)
     {
-        JsonConfigOverrides.Add($@"
-              {{
-                    ""FeatureManagement"": {{
-                        ""AnsattPorten"": true
-                    }},
-                    ""AnsattPortenLoginSettings"": {{
-                        ""ClientId"": ""non-empty-for-testing"",
-                        ""ClientSecret"": ""non-empty-for-testing""
-                    }}
-             }}
-            ");
+        JsonConfigOverrides.Add(
+            $$"""
+                     {
+                           "FeatureManagement": {
+                               "{{StudioFeatureFlags.AnsattPorten}}": true
+                           },
+                           "AnsattPortenLoginSettings": {
+                               "ClientId": "non-empty-for-testing",
+                               "ClientSecret": "non-empty-for-testing"
+                           }
+                     }
+                  """);
     }
 }

backend/tests/Designer.Tests/Controllers/PreviewController/GetImageTests.cs

@@ -84,7 +84,7 @@ public async Task Get_Image_Non_Existing_Image_Return_NotFound()
         public async Task Call_To_Get_Designer_Iframe_Does_Not_Hit_Image_EndPoint()
         {
             Mock<IAltinnGitRepositoryFactory> factMock = new();
-            ConfigureTestForSpecificTest = s =>
+            ConfigureTestServicesForSpecificTest = s =>
             {
                 s.AddTransient(_ => factMock.Object);
             };

charts/altinn-designer/values.yaml

@@ -53,7 +53,7 @@ environmentVariables:
     - name: OidcLoginSettings__CookieExpiryTimeInMinutes
       value: 59
     - name: FeatureManagement__AnsattPorten
-      value: "false"
+      value: "true"
     - name: FeatureManagement__EidLogging
       value: "true"
   staging:

frontend/app-development/hooks/queries/useIsLoggedInWithAnsattportenQuery.ts

@@ -4,8 +4,8 @@ import { useServicesContext } from 'app-shared/contexts/ServicesContext';
 
 export const useIsLoggedInWithAnsattportenQuery = () => {
   const { getIsLoggedInWithAnsattporten } = useServicesContext();
-  return useQuery<boolean>({
+  return useQuery<{ isLoggedIn: boolean }>({
     queryKey: [QueryKey.IsLoggedInWithAnsattporten],
-    queryFn: () => getIsLoggedInWithAnsattporten(),
+    queryFn: getIsLoggedInWithAnsattporten,
   });
 };