APPEALS-46324: CE API User Management

Gemfile

@@ -57,7 +57,7 @@ gem "redis-namespace"
 gem "redis-rails", "~> 5.0.2"
 gem "redis-semaphore"
 gem "request_store"
-gem "ruby_claim_evidence_api", git: "https://github.com/department-of-veterans-affairs/ruby_claim_evidence_api.git", ref: "095798918338650383b06ff535bc63fc5fbfc8dc"
+gem "ruby_claim_evidence_api", git: "https://github.com/department-of-veterans-affairs/ruby_claim_evidence_api.git", ref: "4ed23adddb3f584d3a530ef64dcb9ea0cf0eb2b3"
 gem "rubyzip", ">= 1.3.0"
 gem "sass-rails", "~> 5.0"
 gem "sentry-raven"

Gemfile.lock

@@ -74,8 +74,8 @@ GIT
 
 GIT
   remote: https://github.com/department-of-veterans-affairs/ruby_claim_evidence_api.git
-  revision: 095798918338650383b06ff535bc63fc5fbfc8dc
-  ref: 095798918338650383b06ff535bc63fc5fbfc8dc
+  revision: 4ed23adddb3f584d3a530ef64dcb9ea0cf0eb2b3
+  ref: 4ed23adddb3f584d3a530ef64dcb9ea0cf0eb2b3
   specs:
     ruby_claim_evidence_api (0.1.0)
       activesupport
@@ -225,7 +225,7 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
-    concurrent-ruby (1.3.3)
+    concurrent-ruby (1.3.4)
     crack (1.0.0)
       bigdecimal
       rexml
@@ -261,7 +261,7 @@ GEM
       google-protobuf (>= 3.18, < 5.a)
     gyoku (1.3.1)
       builder (>= 2.1.2)
-    hashdiff (1.1.0)
+    hashdiff (1.1.1)
     hashie (4.1.0)
     httparty (0.18.1)
       mime-types (~> 3.0)
@@ -308,8 +308,7 @@ GEM
     mime-types-data (3.2020.1104)
     mini_magick (4.11.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
-    minitest (5.24.1)
+    minitest (5.25.1)
     moment_timezone-rails (0.5.14)
       momentjs-rails (~> 2.15.1)
     momentjs-rails (2.15.1)
@@ -330,7 +329,6 @@ GEM
       net-protocol
     nio4r (2.7.3)
     nokogiri (1.15.6)
-      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     nori (2.6.0)
     omniauth (1.9.1)
@@ -440,7 +438,7 @@ GEM
     public_suffix (5.1.1)
     puma (5.6.4)
       nio4r (~> 2.0)
-    racc (1.8.0)
+    racc (1.8.1)
     rack (2.2.9)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
@@ -507,8 +505,7 @@ GEM
     regexp_parser (2.8.3)
     request_store (1.5.0)
       rack (>= 1.4)
-    rexml (3.3.1)
-      strscan
+    rexml (3.3.8)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
@@ -600,7 +597,6 @@ GEM
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
     statsd-instrument (3.7.0)
-    strscan (3.1.0)
     systemu (2.6.5)
     thor (1.3.1)
     tilt (2.0.11)
@@ -645,7 +641,7 @@ GEM
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zaru (0.3.0)
-    zeitwerk (2.6.16)
+    zeitwerk (2.6.18)
     zero_downtime_migrations (0.0.7)
       activerecord
 
@@ -742,4 +738,4 @@ DEPENDENCIES
   zero_downtime_migrations
 
 BUNDLED WITH
-   2.4.17
+   2.4.22

app/assets/stylesheets/_commons.scss

@@ -256,6 +256,16 @@ dd {
   }
 }
 
+.cf-icon-external-link {
+  vertical-align: -.45ex;
+  width: 1em;
+  height: 1em;
+
+  path {
+    fill: $cf-link;
+  }
+}
+
 .cf-icon-close {
   display: block;
   margin: auto;

app/controllers/api/v1/application_controller.rb

@@ -13,6 +13,29 @@ class Api::V1::ApplicationController < BaseController
     }, status: 500
   end
 
+  rescue_from BGS::SensitivityLevelCheckFailure do |e|
+    current_user = RequestStore[:current_user]
+    user_sensitivity_level = if current_user.present?
+                               SensitivityChecker.new.sensitivity_level_for_user(current_user)
+                             else
+                               "User is not set in the RequestStore"
+                             end
+
+    error_details = {
+      user_css_id: current_user&.css_id || "User is not set in the RequestStore",
+      user_sensitivity_level: user_sensitivity_level,
+      error_uuid: SecureRandom.uuid
+    }
+    ErrorHandlers::ClaimEvidenceApiErrorHandler.new.handle_error(error: e, error_details: error_details)
+
+    render json: {
+      status: e.message,
+      featureToggles: {
+        use_ce_api: FeatureToggle.enabled?(:use_ce_api, user: RequestStore[:current_user])
+      }
+    }, status: :forbidden
+  end
+
   rescue_from BGS::PublicError do |error|
     forbidden(error.public_message)
   end
@@ -28,7 +51,7 @@ def sensitive_record
   end
 
   def forbidden(reason = "Forbidden: unspecified")
-    render json: { status: reason }, status: 403
+    render json: { status: reason }, status: :forbidden
   end
 
   def missing_header(header)

app/controllers/api/v2/application_controller.rb

@@ -18,14 +18,39 @@ def invalid_file_number
   end
 
   def verify_veteran_file_number
-    file_number = request.headers["HTTP_FILE_NUMBER"]
-    return missing_header("File Number") unless file_number
+    file_number = fetch_file_number_from_headers
+    validate_file_number(file_number)
 
-    return invalid_file_number unless bgs_service.valid_file_number?(file_number)
+    return file_number if use_ce_api? && sensitivity_check_passed?(file_number)
 
     fetch_veteran_by_file_number(file_number)
   end
 
+  def fetch_file_number_from_headers
+    file_number = request.headers["HTTP_FILE_NUMBER"]
+    missing_header("File Number") unless file_number
+    file_number
+  end
+
+  def validate_file_number(file_number)
+    invalid_file_number unless bgs_service.valid_file_number?(file_number)
+  end
+
+  def use_ce_api?
+    FeatureToggle.enabled?(:use_ce_api, user: RequestStore[:current_user])
+  end
+
+  def sensitivity_check_passed?(file_number)
+    if sensitivity_checker.sensitivity_levels_compatible?(
+      user: current_user,
+      veteran_file_number: file_number
+    )
+      true
+    else
+      raise BGS::SensitivityLevelCheckFailure.new, "You are not authorized to access this file number"
+    end
+  end
+
   def fetch_veteran_by_file_number(file_number)
     Rails.logger.debug("UserAuthorizer for #{file_number} and current_user #{current_user.css_id}")
     authorizer = UserAuthorizer.new(user: current_user, file_number: file_number)
@@ -41,4 +66,8 @@ def fetch_veteran_by_file_number(file_number)
       raise BGS::ShareError, "Cannot access Veteran record"
     end
   end
+
+  def sensitivity_checker
+    @sensitivity_checker ||= SensitivityChecker.new
+  end
 end

app/controllers/api/v2/manifests_controller.rb

@@ -1,16 +1,26 @@
+# frozen_string_literal: true
+
 class Api::V2::ManifestsController < Api::V2::ApplicationController
+  # Need this as a before action since it gates access to these controller methods
+  before_action :veteran_file_number, only: [:start, :refresh]
+
   def start
-    file_number = verify_veteran_file_number
     return if performed?
-
+    file_number = use_ce_api? ? veteran_file_number : verify_veteran_file_number
     manifest = Manifest.includes(:sources, :records).find_or_create_by_user(user: current_user, file_number: file_number)
+
     manifest.start!
     render json: json_manifests(manifest)
   end
 
   def refresh
-    manifest = Manifest.find(params[:id])
-    return record_not_found unless manifest
+    manifest = if use_ce_api?
+                 Manifest.includes(:sources, :records).find_or_create_by_user(user: current_user, file_number: veteran_file_number)
+               else
+                 Manifest.find(params[:id])
+               end
+
+    return record_not_found if manifest.blank?
     return sensitive_record unless manifest.files_downloads.find_by(user: current_user)
 
     manifest.start!
@@ -22,7 +32,9 @@ def progress
     distribute_reads do
       files_download ||= FilesDownload.find_with_manifest(manifest_id: params[:id], user_id: current_user.id)
     end
+
     return record_not_found unless files_download
+
     render json: json_manifests(files_download.manifest)
   end
 
@@ -32,6 +44,27 @@ def history
 
   private
 
+  def use_ce_api?
+    FeatureToggle.enabled?(:use_ce_api, user: RequestStore[:current_user])
+  end
+
+  def veteran_file_number
+    @veteran_file_number ||= verify_veteran_file_number
+  end
+
+  def verify_veteran_file_number
+    # The frontend may not have set this value (needed by parent's verify_veteran_file_number)
+    # but we are still able to determine it here in the child using the manifest
+    if request.headers["HTTP_FILE_NUMBER"].blank?
+      if params[:id].present?
+        manifest = Manifest.find(params[:id])
+        request.headers["HTTP_FILE_NUMBER"] = manifest.file_number
+      end
+    end
+
+    super
+  end
+
   def json_manifests(manifest)
     ActiveModelSerializers::SerializableResource.new(
       manifest,

app/helpers/application_helper.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-# rubocop:disable Metrics/ModuleLength
 module ApplicationHelper
   def ui_user?
     return false unless RequestStore[:current_user]
+
     (RequestStore[:current_user].roles || []).include?("Download eFolder")
   end
 
@@ -13,6 +13,7 @@ def current_ga_path
     begin
       route = Rails.application.routes.recognize_path(full_path)
       return full_path unless route
+
       ["", route[:controller], route[:action]].join("/")
 
     # no match in recognize_path
@@ -21,4 +22,3 @@ def current_ga_path
     end
   end
 end
-# rubocop:enable Metrics/ModuleLength

app/jobs/v2/download_manifest_job.rb

@@ -4,18 +4,18 @@ class V2::DownloadManifestJob < ApplicationJob
   def perform(manifest_source, user = nil)
     manifest_source.update(status: :pending)
 
-    RequestStore.store[:current_user] = user if user
+    RequestStore.store[:current_user] = user if user.present?
     Raven.extra_context(manifest_source: manifest_source.id)
 
     documents = ManifestFetcher.new(manifest_source: manifest_source).process
 
     log_info(manifest_source.manifest.file_number, documents, manifest_source.manifest.zipfile_size)
 
-    V2::SaveFilesInS3Job.perform_later(manifest_source) if documents.present? && !ApplicationController.helpers.ui_user?
-  rescue StandardError => error
+    V2::SaveFilesInS3Job.perform_later(manifest_source, current_user&.id) if documents.present? && !ApplicationController.helpers.ui_user?
+  rescue StandardError => e
     manifest_source.update!(status: :failed)
-    Rails.logger.error "DownloadManifestJob encountered error #{error.class.name} when fetching manifest for appeal #{manifest_source.manifest.file_number}"
-    raise error
+    Rails.logger.error "DownloadManifestJob encountered error #{e.class.name} when fetching manifest for appeal #{manifest_source.manifest.file_number}"
+    raise e
   end
 
   def max_attempts

app/jobs/v2/save_files_in_s3_job.rb

@@ -1,8 +1,14 @@
 class V2::SaveFilesInS3Job < ApplicationJob
   queue_as :low_priority
 
-  def perform(manifest_source)
-    Raven.extra_context(manifest_source: manifest_source.id)
+  def perform(manifest_source, user_id = nil)
+    Raven.extra_context(manifest_source: manifest_source.id, user_id: user_id)
+
+    # Set user for permission check if the user is blank
+    if FeatureToggle.enabled?(:use_ce_api, user: RequestStore[:current_user]) && RequestStore[:current_user].blank?
+      user = User.find(user_id)
+      RequestStore.store[:current_user] = user
+    end
 
     manifest_source.records.each(&:fetch!)
   end