Merge pull request #513 from guardian/an/access-permissions-logging

Logging of permission status
guardian · Jun 14, 2024 · d81b4be · d81b4be
2 parents 392920b + bf68c4b
commit d81b4be
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/app/controllers/PanDomainAuthActions.scala b/app/controllers/PanDomainAuthActions.scala
@@ -1,13 +1,26 @@
 package controllers
 
 import com.gu.pandahmac.HMACAuthActions
+import com.gu.pandomainauth.PanDomain
 import com.gu.pandomainauth.model.AuthenticatedUser
 import services.Config
+import permissions.Permissions
+import play.api.Logging
 
-trait PanDomainAuthActions extends HMACAuthActions {
+trait PanDomainAuthActions extends HMACAuthActions with Logging {
 
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
-    (authedUser.user.email endsWith ("@guardian.co.uk")) && authedUser.multiFactor
+    val isValid = PanDomain.guardianValidation(authedUser)
+
+    val canAccess = Permissions.testUser(Permissions.TagManagerAccess)(authedUser.user.email)
+
+    if (!isValid) {
+      logger.warn(s"User ${authedUser.user.email} is not valid")
+    } else if (!canAccess) {
+      logger.warn(s"User ${authedUser.user.email} does not have tag_manager_access permission")
+    }
+
+    isValid // TODO && canAccess
   }
 
   override def cacheValidation = true

diff --git a/app/permissions/Permissions.scala b/app/permissions/Permissions.scala
@@ -7,26 +7,27 @@ import services.Config
 object Permissions {
   val app = "tag-manager"
 
+  val TagManagerAccess: PermissionDefinition = PermissionDefinition("tag_manager_access", app)
   val TagEdit: PermissionDefinition = PermissionDefinition("tag_edit", app)
   val TagAdmin: PermissionDefinition = PermissionDefinition("tag_admin", app)
   val CommercialTags: PermissionDefinition = PermissionDefinition("commercial_tags", app)
-  val TagUnaccessible: PermissionDefinition = PermissionDefinition("tag_no_one", app)
 
   private val permissionDefinitions = Map(
+    "tag_manager_access" -> TagManagerAccess,
     "tag_edit" -> TagEdit,
     "tag_admin" -> TagAdmin,
     "commercial_tags" -> CommercialTags,
-    "tag_no_one" -> TagUnaccessible
   )
 
   private val credentials: AWSCredentialsProvider = new DefaultAWSCredentialsProviderChain()
 
   private val permissions: PermissionsProvider = PermissionsProvider(PermissionsConfig(Config().permissionsStage, Config().aws.region, credentials))
 
-  def testUser(permission:PermissionDefinition)(email: String): Boolean = {
+  def testUser(permission: PermissionDefinition)(email: String): Boolean = {
     println("Permissions for: " + email)
     permissions.hasPermission(permission, email)
   }
-  def getPermissionsForUser(email: String): Map[String, Boolean] = permissionDefinitions.transform((_, permission) => permissions.hasPermission(permission, email))
+  def getPermissionsForUser(email: String): Map[String, Boolean] =
+    permissionDefinitions.mapValues(permission => permissions.hasPermission(permission, email))
 }