From 75ac386c84a8ec5177bb5643feabd7d00c0ca691 Mon Sep 17 00:00:00 2001
From: Matti Lamppu <matti.lamppu@vincit.fi>
Date: Mon, 16 Dec 2024 13:03:54 +0200
Subject: [PATCH] Return error from profile endpoint if keycloak expired

---
 .../test_helsinki_profile/test_query.py       | 21 +++++++++++++++++++
 .../api/graphql/extensions/error_codes.py     |  2 ++
 tilavarauspalvelu/api/graphql/schema.py       | 11 +++++++---
 .../graphql/types/helsinki_profile/types.py   |  5 +++++
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/tests/test_graphql_api/test_helsinki_profile/test_query.py b/tests/test_graphql_api/test_helsinki_profile/test_query.py
index 3af754687..fcad9875c 100644
--- a/tests/test_graphql_api/test_helsinki_profile/test_query.py
+++ b/tests/test_graphql_api/test_helsinki_profile/test_query.py
@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+from typing import TYPE_CHECKING, Any
+
 import pytest
 
 from tilavarauspalvelu.utils.helauth.clients import HelsinkiProfileClient
@@ -12,6 +14,9 @@
 
 from .helpers import profile_query
 
+if TYPE_CHECKING:
+    from tilavarauspalvelu.typing import SessionMapping
+
 # Applied to all tests
 pytestmark = [
     pytest.mark.django_db,
@@ -334,3 +339,19 @@ def test_helsinki_profile_data__query__unit_admin(graphql):
         "firstName": profile_data["verifiedPersonalInformation"]["firstName"],
         "lastName": profile_data["verifiedPersonalInformation"]["lastName"],
     }
+
+
+def test_helsinki_profile_data__query__keycloak_token_expired(graphql):
+    user = UserFactory.create(profile_id="foo", social_auth__extra_data__amr=ProfileLoginAMR.SUOMI_FI.value)
+    application = ApplicationFactory.create(user=user)
+
+    graphql.login_with_superuser()
+    query = profile_query(application_id=application.id)
+
+    def change_session(session: SessionMapping, **kwargs: Any) -> None:
+        session["keycloak_refresh_token_expired"] = True
+
+    with patch_method(HelsinkiProfileClient.get_user_profile_info, side_effect=change_session):
+        response = graphql(query)
+
+    assert response.error_message() == "Keycloak refresh token is expired. Please log out and back in again."
diff --git a/tilavarauspalvelu/api/graphql/extensions/error_codes.py b/tilavarauspalvelu/api/graphql/extensions/error_codes.py
index 09d3bf102..45747efef 100644
--- a/tilavarauspalvelu/api/graphql/extensions/error_codes.py
+++ b/tilavarauspalvelu/api/graphql/extensions/error_codes.py
@@ -40,8 +40,10 @@
 HELSINKI_PROFILE_APPLICATION_USER_NOT_FOUND = "HELSINKI_PROFILE_APPLICATION_USER_NOT_FOUND"
 HELSINKI_PROFILE_RESERVATION_USER_MISSING = "HELSINKI_PROFILE_RESERVATION_USER_MISSING"
 HELSINKI_PROFILE_RESERVATION_USER_NOT_FOUND = "HELSINKI_PROFILE_RESERVATION_USER_NOT_FOUND"
+HELSINKI_PROFILE_USER_NOT_FOUND = "HELSINKI_PROFILE_USER_NOT_FOUND"
 HELSINKI_PROFILE_TOKEN_INVALID = "HELSINKI_PROFILE_TOKEN_INVALID"  # noqa: S105 # nosec # NOSONAR
 HELSINKI_PROFILE_USER_MISSING_PROFILE_ID = "HELSINKI_PROFILE_USER_MISSING_PROFILE_ID"
+HELSINKI_PROFILE_KEYCLOAK_REFRESH_TOKEN_EXPIRED = "HELSINKI_PROFILE_KEYCLOAK_REFRESH_TOKEN_EXPIRED"  # noqa: S105 # nosec # NOSONAR
 
 CANNOT_REJECT_APPLICATION_OPTIONS = "CANNOT_REJECT_APPLICATION_OPTIONS"
 CANNOT_REJECT_SECTION_OPTIONS = "CANNOT_REJECT_SECTION_OPTIONS"
diff --git a/tilavarauspalvelu/api/graphql/schema.py b/tilavarauspalvelu/api/graphql/schema.py
index 18e321fa9..b999902f0 100644
--- a/tilavarauspalvelu/api/graphql/schema.py
+++ b/tilavarauspalvelu/api/graphql/schema.py
@@ -216,9 +216,14 @@ class Query(graphene.ObjectType):
     )
     profile_data = Field(
         HelsinkiProfileDataNode,
-        reservation_id=graphene.Int(),
-        application_id=graphene.Int(),
-        description="Get information about the user, using Helsinki profile if necessary.",
+        reservation_id=graphene.Int(description="View profile data for this reservation user."),
+        application_id=graphene.Int(description="View profile data for this application user."),
+        description=(
+            "Get information about a user from Helsinki profile. "
+            "If user is not a profile user, still return known information. "
+            "Use only one of 'user_id', 'reservation_id' or 'application_id' to determine what user to get data for. "
+            "This determined required permissions to view the user's info."
+        ),
     )
     #
     # Misc.
diff --git a/tilavarauspalvelu/api/graphql/types/helsinki_profile/types.py b/tilavarauspalvelu/api/graphql/types/helsinki_profile/types.py
index a135dff67..643e34457 100644
--- a/tilavarauspalvelu/api/graphql/types/helsinki_profile/types.py
+++ b/tilavarauspalvelu/api/graphql/types/helsinki_profile/types.py
@@ -91,6 +91,11 @@ def get_data(
             session=info.context.session,
             fields=fields,
         )
+        if info.context.session.get("keycloak_refresh_token_expired", False):
+            msg = "Keycloak refresh token is expired. Please log out and back in again."
+            extensions = {"code": error_codes.HELSINKI_PROFILE_KEYCLOAK_REFRESH_TOKEN_EXPIRED}
+            raise GraphQLError(msg, extensions=extensions)
+
         if data is None:
             msg = "Helsinki profile token is not valid and could not be refreshed."
             extensions = {"code": error_codes.HELSINKI_PROFILE_TOKEN_INVALID}