HAI-3348 Display error message if user does not belong to allowed AD groups

.env

@@ -12,6 +12,8 @@ REACT_APP_FEATURE_PUBLIC_HANKKEET=1
 REACT_APP_FEATURE_HANKE=1
 REACT_APP_FEATURE_CABLE_REPORT_PAPER_DECISION=1
 REACT_APP_FEATURE_INFORMATION_REQUEST=1
+REACT_APP_USE_AD_FILTER=0
+REACT_APP_ALLOWED_AD_GROUPS=""
 REACT_APP_MAINTENANCE_TEXT_FI=""
 REACT_APP_MAINTENANCE_TEXT_SV=""
 REACT_APP_MAINTENANCE_TEXT_EN=""

src/common/utils/toStringArray.ts

@@ -0,0 +1,10 @@
+/**
+ * Converts an unknown value to an array of strings.
+ */
+export default function toStringArray(value: unknown): string[] {
+  if (Array.isArray(value)) {
+    return value.filter((item) => typeof item === 'string');
+  } else {
+    return [];
+  }
+}

src/domain/auth/components/ADGroupsError.tsx

@@ -0,0 +1,49 @@
+import { Box, Flex } from '@chakra-ui/react';
+import { Link, useOidcClient } from 'hds-react';
+import MainHeading from '../../../common/components/mainHeading/MainHeading';
+import { Trans, useTranslation } from 'react-i18next';
+
+export default function ADGroupsError() {
+  const { t } = useTranslation();
+  const oidcClient = useOidcClient();
+
+  function logout() {
+    oidcClient.logout();
+  }
+
+  return (
+    <Flex
+      as="article"
+      flexDirection="column"
+      alignItems="center"
+      textAlign="center"
+      mx="auto"
+      mt={{ base: 'var(--spacing-xl)', md: 'var(--spacing-4-xl)' }}
+      gap={{ base: 'var(--spacing-m)', md: 'var(--spacing-4-xl)' }}
+      px="var(--spacing-s)"
+    >
+      <MainHeading>{t('authentication:noADPermissionHeading')}</MainHeading>
+      <Box
+        as="p"
+        maxWidth="612px"
+        fontSize={{ base: 'var(--fontsize-body-m)', md: 'var(--fontsize-body-l)' }}
+      >
+        <Trans
+          i18nKey="authentication:noADPermissionText"
+          components={{
+            a: (
+              <Box
+                as={Link}
+                href="#"
+                fontSize={{ base: 'var(--fontsize-body-m)', md: 'var(--fontsize-body-l)' }}
+                onClick={logout}
+              >
+                Kirjaudu ulos
+              </Box>
+            ),
+          }}
+        />
+      </Box>
+    </Flex>
+  );
+}

src/domain/auth/components/OidcCallback.test.tsx

@@ -1,6 +1,6 @@
 import { Routes, Route, MemoryRouter } from 'react-router-dom';
 import { I18nextProvider } from 'react-i18next';
-import { cleanup, waitFor } from '@testing-library/react';
+import { cleanup } from '@testing-library/react';
 import OidcCallback from './OidcCallback';
 import { LOGIN_CALLBACK_PATH } from '../constants';
 import i18n from '../../../locales/i18nForTests';
@@ -9,15 +9,17 @@ import {
   renderWithLoginProvider,
 } from '../testUtils/renderWithLoginProvider';
 
-function getWrapper({ state, returnUser, errorType }: RenderWithLoginProviderProps) {
+function getWrapper({ state, returnUser, errorType, userADGroups }: RenderWithLoginProviderProps) {
   return renderWithLoginProvider({
     state,
     returnUser,
     errorType,
+    userADGroups,
     children: (
       <I18nextProvider i18n={i18n}>
         <MemoryRouter initialEntries={[LOGIN_CALLBACK_PATH]}>
           <Routes>
+            <Route path="/" element={<div>Home page</div>} />
             <Route path={LOGIN_CALLBACK_PATH} element={<OidcCallback />} />
           </Routes>
         </MemoryRouter>
@@ -59,9 +61,69 @@ describe('<OidcCallback />', () => {
     ).toBeInTheDocument();
   });
 
-  it('should redirect user after successful login', async () => {
-    getWrapper({ state: 'NO_SESSION', returnUser: true, errorType: 'RENEWAL_FAILED' });
+  it('should redirect user to home page after successful login', async () => {
+    const { findByText } = getWrapper({
+      state: 'NO_SESSION',
+      returnUser: true,
+      errorType: undefined,
+    });
 
-    await waitFor(() => expect(window.location.pathname).toEqual('/'));
+    expect(await findByText('Home page')).toBeInTheDocument();
+  });
+
+  describe('helsinki AD login', () => {
+    it('should show AD group error message when user does not have required AD groups', async () => {
+      const OLD_ENV = { ...window._env_ };
+      window._env_ = {
+        ...OLD_ENV,
+        REACT_APP_USE_AD_FILTER: '1',
+        REACT_APP_ALLOWED_AD_GROUPS: 'test_group_2;test_group_3',
+      };
+      const { findByText } = getWrapper({
+        state: 'NO_SESSION',
+        returnUser: true,
+        errorType: undefined,
+        userADGroups: ['test_group'],
+      });
+
+      expect(await findByText('Ei käyttöoikeutta Haitaton-asiointiin')).toBeInTheDocument();
+      window._env_ = OLD_ENV;
+    });
+
+    it('should redirect user to home page when user has required AD groups', async () => {
+      const OLD_ENV = { ...window._env_ };
+      window._env_ = {
+        ...OLD_ENV,
+        REACT_APP_USE_AD_FILTER: '1',
+        REACT_APP_ALLOWED_AD_GROUPS: 'test_group;test_group_2;test_group_3',
+      };
+      const { findByText } = getWrapper({
+        state: 'NO_SESSION',
+        returnUser: true,
+        errorType: undefined,
+        userADGroups: ['test_group'],
+      });
+
+      expect(await findByText('Home page')).toBeInTheDocument();
+      window._env_ = OLD_ENV;
+    });
+
+    it('should redirect user to home page when REACT_APP_USE_AD_FILTER is not in use even when user does not have required AD groups', async () => {
+      const OLD_ENV = { ...window._env_ };
+      window._env_ = {
+        ...OLD_ENV,
+        REACT_APP_USE_AD_FILTER: '0',
+        REACT_APP_ALLOWED_AD_GROUPS: 'test_group_2',
+      };
+      const { findByText } = getWrapper({
+        state: 'NO_SESSION',
+        returnUser: true,
+        errorType: undefined,
+        userADGroups: ['test_group'],
+      });
+
+      expect(await findByText('Home page')).toBeInTheDocument();
+      window._env_ = OLD_ENV;
+    });
   });
 });

src/domain/auth/components/OidcCallback.tsx

@@ -1,12 +1,22 @@
 import { useState } from 'react';
 import { Flex } from '@chakra-ui/react';
 import { Trans, useTranslation } from 'react-i18next';
-import { Link as HDSLink, LoginCallbackHandler, OidcClientError } from 'hds-react';
+import {
+  Link as HDSLink,
+  LoginCallbackHandler,
+  OidcClientError,
+  User,
+  useOidcClient,
+} from 'hds-react';
 import Text from '../../../common/components/text/Text';
 import { useLocalizedRoutes } from '../../../common/hooks/useLocalizedRoutes';
 import Link from '../../../common/components/Link/Link';
+import ADGroupsError from './ADGroupsError';
+import hasAllowedADGroups from '../hasAllowedADGroups';
+import { useNavigate } from 'react-router-dom';
+import toStringArray from '../../../common/utils/toStringArray';
 
-type AuthenticationError = 'permissionDeniedByUserError' | 'unknown';
+type AuthenticationError = 'permissionDeniedByUserError' | 'unknown' | 'adGroupsError';
 
 type AuthErrorProps = {
   errorText: string;
@@ -52,9 +62,22 @@ const AuthError = ({ errorText }: Readonly<AuthErrorProps>) => {
 const OidcCallback = () => {
   const { t } = useTranslation();
   const [authenticationError, setAuthenticationError] = useState<AuthenticationError | null>(null);
+  const navigate = useNavigate();
+  const oidcClient = useOidcClient();
 
-  function onSuccess() {
-    window.location.pathname = '/';
+  function onSuccess(user: User) {
+    const { ad_groups } = user.profile;
+    const useADFilter = window._env_.REACT_APP_USE_AD_FILTER === '1';
+    const amr = oidcClient.getAmr();
+    const helsinkiADUsed = amr?.includes('helsinkiad');
+
+    // Check if user has required AD groups (when login is done with AD and AD filtering is enabled).
+    if (helsinkiADUsed && useADFilter && !hasAllowedADGroups(toStringArray(ad_groups))) {
+      setAuthenticationError('adGroupsError');
+      return;
+    }
+
+    navigate('/', { replace: true });
   }
 
   function onError(error?: OidcClientError) {
@@ -74,6 +97,7 @@ const OidcCallback = () => {
         {authenticationError === 'unknown' && (
           <AuthError errorText={t('authentication:genericError')} />
         )}
+        {authenticationError === 'adGroupsError' && <ADGroupsError />}
       </>
     </LoginCallbackHandler>
   );

src/domain/auth/hasAllowedADGroups.ts

@@ -0,0 +1,10 @@
+/**
+ * Checks if the user belongs to any of the allowed Active Directory (AD) groups.
+ *
+ * @param {string[]} ad_groups - An array of AD group names the user belongs to.
+ * @returns {boolean} - Returns `true` if the user belongs to at least one of the allowed AD groups, otherwise `false`.
+ */
+export default function hasAllowedADGroups(ad_groups: string[]): boolean {
+  const ALLOWED_AD_GROUPS = window._env_?.REACT_APP_ALLOWED_AD_GROUPS?.split(';') ?? [];
+  return ad_groups.some((group) => ALLOWED_AD_GROUPS.includes(group));
+}

src/domain/auth/testUtils/renderWithLoginProvider.tsx

@@ -27,6 +27,7 @@ export type RenderWithLoginProviderProps = {
   state: OidcClientState;
   returnUser: boolean;
   placeUserToStorage?: boolean;
+  userADGroups?: string[];
   errorType?: 'SIGNIN_ERROR' | 'INVALID_OR_EXPIRED_USER' | 'RENEWAL_FAILED';
   children?: React.ReactNode;
 };
@@ -35,6 +36,7 @@ export function renderWithLoginProvider({
   state,
   returnUser,
   placeUserToStorage = true,
+  userADGroups,
   errorType,
   children,
 }: RenderWithLoginProviderProps) {
@@ -45,10 +47,13 @@ export function renderWithLoginProvider({
     connect: (targetBeacon) => {
       beacon = targetBeacon;
       beacon.addListener(triggerForAllOidcClientSignals, (signal) => {
-        const user = createUser(placeUserToStorage);
+        const user = createUser(placeUserToStorage, userADGroups);
         const oidcClient = signal.context as OidcClient;
         jest.spyOn(oidcClient, 'getState').mockReturnValue(state);
         jest.spyOn(oidcClient, 'getUser').mockReturnValue(user);
+        jest
+          .spyOn(oidcClient, 'getAmr')
+          .mockReturnValue(userADGroups === undefined ? ['suomi_fi'] : ['helsinkiad']);
         if (!returnUser) {
           jest.spyOn(oidcClient, 'handleCallback').mockRejectedValue(handleError);
         } else {

src/domain/auth/testUtils/userTestUtil.ts

@@ -5,7 +5,7 @@ const client_id = 'test-client';
 
 const tokenExpirationTimeInSeconds = 3600;
 
-export function createUser(placeUserToStorage = true): User {
+export function createUser(placeUserToStorage = true, ad_groups?: string[]): User {
   const nowAsSeconds = Math.round(Date.now() / 1000);
   const expires_in = tokenExpirationTimeInSeconds;
   const expires_at = nowAsSeconds + expires_in;
@@ -23,6 +23,7 @@ export function createUser(placeUserToStorage = true): User {
       name: 'Test User',
       email: '[email protected]',
       amr: ['validAmr'],
+      ad_groups,
     },
     refresh_token: 'refresh_token',
     scope: 'openid profile',

src/locales/fi.json

@@ -10,7 +10,9 @@
     "loggingIn": "Kirjaudutaan sisään...",
     "loggingOut": "Kirjaudutaan ulos...",
     "loggingInErrorLabel": "Kirjautumisessa tapahtui virhe",
-    "logoutError": "Uloskirjautumisessa tapahtui virhe"
+    "logoutError": "Uloskirjautumisessa tapahtui virhe",
+    "noADPermissionHeading": "Ei käyttöoikeutta Haitaton-asiointiin",
+    "noADPermissionText": "Sinulla ei ole oikeutta AD-tunnistautumiseen. <a>Kirjaudu ulos</a> Haitattomasta ja yritä uudelleen suomi.fi-tunnistautumisen kautta."
   },
   "common": {
     "increment": "Lisää",