feat(ids-api): Filter out accessControlled scopes

libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts

@@ -2,7 +2,7 @@ import { z } from 'zod'
 
 import { AdminPortalScope, ApiScope, AuthScope } from '@island.is/auth/scopes'
 import { defineConfig } from '@island.is/nest/config'
-import { DelegationType } from './types/delegationType'
+import { AuthDelegationType } from '@island.is/shared/types'
 
 const customScopeRuleSchema = z.array(
   z.object({
@@ -21,7 +21,7 @@ const customScopeRuleSchema = z.array(
       z
         .string()
         .refine((val) =>
-          Object.values(DelegationType).includes(val as DelegationType),
+          Object.values(AuthDelegationType).includes(val as AuthDelegationType),
         ),
     ),
   }),
@@ -42,56 +42,56 @@ export const DelegationConfig = defineConfig<z.infer<typeof schema>>({
     customScopeRules: env.optionalJSON('DELEGATION_CUSTOM_SCOPE_RULES') ?? [
       {
         scopeName: AuthScope.delegations,
-        onlyForDelegationType: [DelegationType.ProcurationHolder],
+        onlyForDelegationType: [AuthDelegationType.ProcurationHolder],
       },
       {
         scopeName: AdminPortalScope.delegations,
-        onlyForDelegationType: [DelegationType.ProcurationHolder],
+        onlyForDelegationType: [AuthDelegationType.ProcurationHolder],
       },
       {
         scopeName: ApiScope.samradsgatt,
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
       {
         scopeName: ApiScope.financeSalary,
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
       {
         scopeName: ApiScope.company,
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
       {
         // This scope is not in use in our repo hence plain string instead of enum.
         scopeName: '@akureyri.is/service-portal',
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
       {
         // The branch auth-api/custom-delegation-scope-rule is changing this, but it is not merged yet and this is required for release.
         // Todo: add this to the scope migration of the branch
         scopeName: '@island.is/applications/orkusjodur',
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
       {
         // This scope is not in use in our repo hence plain string instead of enum.
         scopeName: '@skagafjordur.is/ibuagatt',
         onlyForDelegationType: [
-          DelegationType.ProcurationHolder,
-          DelegationType.Custom,
+          AuthDelegationType.ProcurationHolder,
+          AuthDelegationType.Custom,
         ],
       },
     ],

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts

@@ -1,5 +1,6 @@
 import { Inject, Injectable, Logger } from '@nestjs/common'
 import { InjectModel } from '@nestjs/sequelize'
+import { ConfigType } from '@nestjs/config'
 import * as kennitala from 'kennitala'
 import uniqBy from 'lodash/uniqBy'
 import { Op } from 'sequelize'
@@ -29,6 +30,7 @@ import { DelegationValidity } from './types/delegationValidity'
 import { partitionWithIndex } from './utils/partitionWithIndex'
 import { getScopeValidityWhereClause } from './utils/scopes'
 import { DelegationDelegationType } from './models/delegation-delegation-type.model'
+import { DelegationConfig } from './DelegationConfig'
 
 type FindAllValidIncomingOptions = {
   nationalId: string
@@ -56,6 +58,8 @@ export class DelegationsIncomingCustomService {
     private companyRegistryClient: CompanyRegistryClientService,
     @Inject(LOGGER_PROVIDER)
     private logger: Logger,
+    @Inject(DelegationConfig.KEY)
+    private delegationConfig: ConfigType<typeof DelegationConfig>,
     private auditService: AuditService,
   ) {}
 
@@ -182,15 +186,32 @@ export class DelegationsIncomingCustomService {
     })
   }
 
+  private filterByCustomScopeRule(scope: ApiScopeInfo) {
+    const foundCSR = this.delegationConfig.customScopeRules.find(
+      (csr) => csr.scopeName === scope.name,
+    )
+
+    if (!foundCSR) {
+      return true
+    }
+
+    return foundCSR.onlyForDelegationType.includes(
+      AuthDelegationType.GeneralMandate,
+    )
+  }
+
   async findAllAvailableGeneralMandate(
     user: User,
     clientAllowedApiScopes: ApiScopeInfo[],
     requireApiScopes: boolean,
   ): Promise<MergedDelegationDTO[]> {
-    const customApiScopes = clientAllowedApiScopes.filter((s) =>
-      s.supportedDelegationTypes?.some(
-        (dt) => dt.delegationType === AuthDelegationType.GeneralMandate,
-      ),
+    const customApiScopes = clientAllowedApiScopes.filter(
+      (s) =>
+        !s.isAccessControlled &&
+        this.filterByCustomScopeRule(s) &&
+        s.supportedDelegationTypes?.some(
+          (dt) => dt.delegationType === AuthDelegationType.GeneralMandate,
+        ),
     )
 
     if (requireApiScopes && !(customApiScopes && customApiScopes.length > 0)) {