Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VI-850] updates SiS session refresher to poll MPI for id theft & death flags #19752

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

[VI-850] updates SiS session refresher to poll MPI for id theft & death flags #19752

wants to merge 20 commits into from
+192 −1

Conversation

bramleyjl
Copy link
Contributor

@bramleyjl bramleyjl commented Dec 5, 2024
edited
Loading

Summary

This PR serves to patch a vulnerability discovered wherein a mobile user who originally authenticated with valid MPI death & id_theft flags had one of those authentication-blocking attributes updated in MPI but was maintaining a session on the VA mobile app. This change makes it so that every time a User model is instantiated via SiS auth it check the MPI profile (Redis cache or MPI API query) for MPI death & id theft flags.

Code changes

  • Updates services/sign_in/user_loader::reload_user method to call newly-created User model validate_mpi_profile method.
  • The MPI profile is checked for id_theft_flag and deceased_date attributes and failures of those validations results in an MPILockedAccountError error being raised and the authentication action terminating.
  • Specs covering these changes to
    • base & mobile module ApplicationController spec
    • UserLoader spec
    • User model spec

Related issue(s)

Testing done

  • New code is covered by unit tests
  • Update your user's user's vets-api-mockdata mvi/profile_icn/<icn>.yml to include one of the following:
    1. Deceased Flag - within the <patientPerson> block add the following two attributes
      • <deceasedInd nullFlavor="PINF" value="true"/>
      • <deceasedTime value="19991231"
    2. ID Theft Flag - within the <patient classCode="PAT"> block add the following attribute
      • <confidentialityCode code="ID_THEFT^TRUE"/>
  • Authenticate & attempt to access an authenticated route - you should receive a 403 error with the appropriate MPI flag message.

What areas of the site does it impact?

Authenticated routes

Acceptance criteria

  • I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • No error nor warning in the console.
  • Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • Feature/bug has a monitor built into Datadog (if applicable)
  • If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected
  • I added a screenshot of the developed feature

Requested Feedback

(OPTIONAL)What should the reviewers know in addition to the above. Is there anything specific you wish the reviewer to assist with. Do you have any concerns with this PR, why?

@bramleyjl bramleyjl marked this pull request as ready for review December 5, 2024 20:22
@bramleyjl bramleyjl requested a review from a team as a code owner December 5, 2024 20:22
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 5, 2024 20:37 Inactive
@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from 472cb23 to b52aabd Compare December 5, 2024 20:41
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 5, 2024 20:56 Inactive
@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from b52aabd to 1d03fa0 Compare December 6, 2024 16:38
@bramleyjl bramleyjl requested review from a team as code owners December 6, 2024 16:38
@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from 1d03fa0 to 99045fe Compare December 6, 2024 16:38
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 6, 2024 17:03 Inactive
ericboehs
ericboehs previously approved these changes Dec 6, 2024
View reviewed changes
app/services/sign_in/session_refresher.rb Outdated Show resolved Hide resolved
@bosawt
Copy link
Contributor

bosawt commented Dec 6, 2024

I wonder if we could put this in UserLoader and run the checks when the user model has to be recreated

@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from 99045fe to db162e3 Compare December 9, 2024 18:47
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 9, 2024 20:32 Inactive
@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from db162e3 to 0552683 Compare December 10, 2024 21:34
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 10, 2024 21:51 Inactive
@bramleyjl bramleyjl requested a review from a team as a code owner December 10, 2024 22:22
@bramleyjl bramleyjl requested a review from aherzberg December 10, 2024 22:22
@bramleyjl bramleyjl force-pushed the VI-850_mpi_flag_checks branch from 2ccded6 to 0c60c50 Compare December 19, 2024 17:37
bosawt
bosawt approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@bosawt bosawt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks gud, thanks for making those changes

@bramleyjl bramleyjl requested a review from ericboehs December 19, 2024 17:51
emilykim13
emilykim13 approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@emilykim13 emilykim13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with new changes, lgtm with the changes!

@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 20, 2024 15:32 Inactive
DonMcCaugheyUSDS
DonMcCaugheyUSDS approved these changes Dec 20, 2024
View reviewed changes
Copy link

@DonMcCaugheyUSDS DonMcCaugheyUSDS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice -- thank you!

@platform-support-slack-integration platform-support-slack-integration bot mentioned this pull request Dec 30, 2024
Closed
@va-vfs-bot va-vfs-bot temporarily deployed to VI-850_mpi_flag_checks/main/main December 30, 2024 17:36 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DonMcCaugheyUSDS DonMcCaugheyUSDS DonMcCaugheyUSDS approved these changes

@emilykim13 emilykim13 emilykim13 approved these changes

@bosawt bosawt bosawt approved these changes

@ryan-mcneil ryan-mcneil ryan-mcneil approved these changes

@aherzberg aherzberg Awaiting requested review from aherzberg aherzberg is a code owner automatically assigned from department-of-veterans-affairs/mobile-api-team

@ericboehs ericboehs Awaiting requested review from ericboehs

Assignees
No one assigned
Labels
require-backend-approval test-passing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@bramleyjl @bosawt @ericboehs @ryan-mcneil @emilykim13 @DonMcCaugheyUSDS @va-vfs-bot