Create STS authenticated TOU current_status route

app/controllers/sign_in/terms_of_use_controller.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module SignIn
+  class TermsOfUseController < ServiceAccountApplicationController
+    service_tag 'identity'
+    before_action :set_current_terms_of_use_agreement, only: %i[current_status]
+
+    def current_status
+      Rails.logger.info('[SignIn][TermsOfUseController] current_status success', icn:)
+      render json: { agreement_status: @current_terms_of_use_agreement&.response }, status: :ok
+    end
+
+    private
+
+    def set_current_terms_of_use_agreement
+      @current_terms_of_use_agreement = TermsOfUseAgreement.joins(:user_account)
+                                                           .where(user_account: { icn: })
+                                                           .current.last
+    end
+
+    def icn
+      @service_account_access_token.user_attributes['icn']
+    end
+  end
+end

app/controllers/v0/terms_of_use_agreements_controller.rb

@@ -8,12 +8,7 @@ class TermsOfUseAgreementsController < ApplicationController
 
     skip_before_action :verify_authenticity_token, only: [:update_provisioning]
     skip_before_action :authenticate
-    before_action :terms_authenticate, except: [:current_status]
-
-    def current_status
-      agreement_status = find_terms_of_use_agreement_by_icn(params[:icn])
-      render_success(action: 'current_status', body: { agreement_status: }, icn: params[:icn])
-    end
+    before_action :terms_authenticate
 
     def latest
       terms_of_use_agreement = find_latest_agreement_by_version(params[:version])
@@ -87,14 +82,6 @@ def create_cerner_cookie
       }
     end
 
-    def find_terms_of_use_agreement_by_icn(icn)
-      user_account = UserAccount.find_by(icn:)
-      return unless user_account
-
-      latest_terms_of_use_agreement = user_account.terms_of_use_agreements.current.last
-      latest_terms_of_use_agreement&.response
-    end
-
     def find_latest_agreement_by_version(version)
       @user_account.terms_of_use_agreements.where(agreement_version: version).last
     end

config/routes.rb

@@ -22,10 +22,11 @@
   get '/v0/sign_in/logingov_logout_proxy', to: 'v0/sign_in#logingov_logout_proxy'
   get '/v0/sign_in/revoke_all_sessions', to: 'v0/sign_in#revoke_all_sessions'
 
-  get '/sign_in/openid_connect/certs' => 'sign_in/openid_connect_certificates#index'
+  namespace :sign_in do
+    get '/openid_connect/certs', to: 'openid_connect_certificates#index'
+    get '/terms_of_use/current_status', to: 'terms_of_use#current_status'
 
-  unless Settings.vsp_environment == 'production'
-    namespace :sign_in do
+    unless Settings.vsp_environment == 'production'
       resources :client_configs, param: :client_id
       resources :service_account_configs, param: :service_account_id
     end

db/seeds/development.rb

@@ -165,7 +165,8 @@
 mhv_ac = SignIn::ServiceAccountConfig.find_or_initialize_by(service_account_id: 'c34b86f2130ff3cd4b1d309bc09d8740')
 mhv_ac.update!(
   description: 'MHV Account Creation - localhost',
-  scopes: ['https://mhv-intb-api.myhealth.va.gov/mhvapi/v1/usermgmt/account-service/account'],
+  scopes: ['https://mhv-intb-api.myhealth.va.gov/mhvapi/v1/usermgmt/account-service/account',
+           'http://localhost:3000/sign_in/terms_of_use/current_status'],
   access_token_audience: 'http://localhost:3000',
   access_token_user_attributes: ['icn'],
   access_token_duration: SignIn::Constants::ServiceAccountAccessToken::VALIDITY_LENGTH_SHORT_MINUTES,

spec/controllers/sign_in/terms_of_use_controller_spec.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe SignIn::TermsOfUseController, type: :controller do
+  let(:service_account_config) { create(:service_account_config, scopes:) }
+  let(:service_account_id) { service_account_config.service_account_id }
+  let(:scopes) { ['http://www.example.com/sign_in/terms_of_use'] }
+  let(:service_account_access_token) do
+    create(:service_account_access_token, service_account_id:, scopes:, user_attributes: { icn: })
+  end
+  let(:sts_token) do
+    SignIn::ServiceAccountAccessTokenJwtEncoder.new(service_account_access_token:).perform
+  end
+  let!(:current_terms_of_use_agreement) { create(:terms_of_use_agreement, user_account:) }
+  let!(:user_account) { create(:user_account) }
+  let(:icn) { user_account&.icn }
+  let(:response_body) { JSON.parse(response.body) }
+  let(:expected_log_message) { '[SignIn][TermsOfUseController] current_status success' }
+
+  before do
+    controller.request.headers['Authorization'] = "Bearer #{sts_token}"
+    allow(Rails.logger).to receive(:info)
+  end
+
+  describe 'GET #current_status' do
+    before { get :current_status }
+
+    context 'when authenticated' do
+      shared_examples 'logs a success message' do
+        it 'logs a success message' do
+          expect(Rails.logger).to have_received(:info).with(expected_log_message, icn:)
+        end
+      end
+
+      context 'with an existing terms of use agreement' do
+        it 'returns a success response with the agreement status' do
+          expect(response).to be_successful
+          expect(response_body['agreement_status']).to eq(current_terms_of_use_agreement.response)
+        end
+
+        include_examples 'logs a success message'
+      end
+
+      context 'without an existing terms of use agreement' do
+        let(:current_terms_of_use_agreement) { nil }
+
+        it 'returns a success response with a nil agreement status' do
+          expect(response).to be_successful
+          expect(response_body['agreement_status']).to be_nil
+        end
+
+        include_examples 'logs a success message'
+      end
+
+      context 'when user account does not exist' do
+        let(:user_account) { nil }
+        let(:current_terms_of_use_agreement) { nil }
+
+        it 'returns a success response with a nil agreement status' do
+          expect(response).to be_successful
+          expect(response_body['agreement_status']).to be_nil
+        end
+
+        include_examples 'logs a success message'
+      end
+    end
+
+    context 'when not authenticated' do
+      let(:sts_token) { 'invalid_token' }
+
+      it 'returns an unauthorized response' do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+end

spec/controllers/v0/terms_of_use_agreements_controller_spec.rb

@@ -23,46 +23,6 @@
     allow_any_instance_of(MPI::Service).to receive(:find_profile_by_identifier).and_return(find_profile_response)
   end
 
-  describe 'GET #current_status' do
-    subject { get :current_status, params: { icn: } }
-
-    it 'returns ok status' do
-      subject
-      expect(response).to have_http_status(:ok)
-    end
-
-    context 'when a terms of use agreement exists for the authenticated user' do
-      let!(:terms_of_use_acceptance) do
-        create(:terms_of_use_agreement, user_account:, response: terms_response, agreement_version:)
-      end
-
-      context 'and terms of use agreement has been accepted' do
-        let(:terms_response) { 'accepted' }
-
-        it 'returns accepted status' do
-          subject
-          expect(JSON.parse(response.body)['agreement_status']).to eq(terms_response)
-        end
-      end
-
-      context 'and terms of use agreement has been declined' do
-        let(:terms_response) { 'declined' }
-
-        it 'returns declined status' do
-          subject
-          expect(JSON.parse(response.body)['agreement_status']).to eq(terms_response)
-        end
-      end
-    end
-
-    context 'when a terms of use agreement does not exist for the authenticated user' do
-      it 'returns nil status' do
-        subject
-        expect(JSON.parse(response.body)['agreement_status']).to eq(nil)
-      end
-    end
-  end
-
   describe 'GET #latest' do
     subject { get :latest, params: { version: agreement_version, terms_code: } }