Add temporary CBA flag for administering CBA functionality in select …

…organisations

app/controllers/super_admin/organisations_controller.rb

@@ -1,6 +1,8 @@
 class SuperAdmin::OrganisationsController < SuperAdminController
   helper_method :sort_column, :sort_direction
 
+  before_action :set_organisation, only: %i[show destroy toggle_cba_feature]
+
   def index
     @organisations = Organisation.sortable_with_child_counts(sort_column, sort_direction)
 
@@ -31,6 +33,11 @@ def destroy
     redirect_to super_admin_organisations_path, notice: "Organisation has been removed"
   end
 
+  def toggle_cba_feature
+    @organisation.update!(cba_enabled: !@organisation.cba_enabled)
+    redirect_to super_admin_organisation_path, notice: "Cba feature flag toggled successfully"
+  end
+
 private
 
   def sortable_columns

app/models/organisation.rb

@@ -10,6 +10,8 @@ class Organisation < ApplicationRecord
   validates :service_email, format: { with: Devise.email_regexp }
   validate :validate_in_register?, unless: proc { |org| org.name.blank? }
 
+  validates :cba_enabled, inclusion: { in: [true, false] }, allow_nil: true
+
   validates_associated :locations
 
   scope :sortable_with_child_counts, lambda { |sort_column, sort_direction|
@@ -19,6 +21,14 @@ class Organisation < ApplicationRecord
       .order(sort_column => sort_direction)
   }
 
+  def enable_cba_feature!
+    update(cba_enabled: true)
+  end
+
+  def disable_cba_feature!
+    update(cba_enabled: false)
+  end
+
   def meets_invited_admin_user_minimum?
     memberships.count(&:administrator?) >= 2
   end

app/views/logs/index.html.erb

@@ -32,7 +32,10 @@
     <thead class="govuk-table__head">
       <tr class="govuk-table__row">
         <% unless log_search_form.username %>
-          <th class="govuk-table__header" scope="col">Username</th>
+          <th class="govuk-table__header" scope="col">Username or ID</th>
+        <% end %>
+        <% if log_search_form.ip && current_organisation&.cba_enabled? %>
+          <th class="govuk-table__header" scope="col">Authentication Method</th>
         <% end %>
         <th class="govuk-table__header" scope="col">Access Point</th>
         <th class="govuk-table__header" scope="col">MAC Address</th>
@@ -59,6 +62,9 @@
               <% end %>
             </td>
           <% end %>
+          <% if log_search_form.ip && current_organisation&.cba_enabled? %>
+            <td class="govuk-table__cell"><%= log.cert_name %></td>
+          <% end %>
           <td class="govuk-table__cell"><%= log.ap %></td>
           <td class="govuk-table__cell"><%= log.mac %></td>
           <% unless log_search_form.ip %>

app/views/super_admin/organisations/_cba_form.html.erb

@@ -0,0 +1,21 @@
+<% cba_enabled = organisation.cba_enabled %>
+
+  <p class="govuk-body">
+    Show both EAP/TLS and MS-CHAPv2 authentication attempts in the logs. This is for organisations using Certificate Based Authentication (CBA)
+  </p>
+  <% if cba_enabled %>
+    <p class="govuk-body">
+      This organisation can see the CBA logs.
+    </p>
+  <% else %>
+    <p class="govuk-body">
+      This organisation cannot see the CBA logs.
+    </p>
+  <% end %>
+
+<div id="cba-form">
+  <%= form_with(model: @organisation, url: toggle_cba_feature_super_admin_organisation_path(@organisation), method: :patch) do |form| %>
+    <%= form.hidden_field :cba_enabled, value: !@organisation.cba_enabled %>
+    <%= form.submit(@organisation.cba_enabled ? "Turn off CBA logs" : "Turn on CBA logs", class: @organisation.cba_enabled ? "govuk-button govuk-button--secondary" : "govuk-button") %>
+  <% end %>
+</div>

app/views/super_admin/organisations/show.html.erb

@@ -35,6 +35,10 @@
       <%= render "mou_form", organisation: @organisation %>
     <% end %>
 
+    <%= render "section", heading: "CBA" do %>
+      <%= render "cba_form", organisation: @organisation %>
+    <% end %>
+
     <%= render "section", heading: "Locations" do %>
       <%== pagy_nav_govuk(@pagy) %>
       <%= render "locations", locations: @locations %>

config/routes.rb

@@ -70,6 +70,7 @@
     end
     resources :mou, only: %i[index update create]
     resources :organisations, only: %i[index show destroy] do
+      patch "toggle_cba_feature", to: "organisations#toggle_cba_feature", on: :member
       collection do
         get "service_emails", to: "organisations#service_emails", constraints: { format: "csv" }
       end

db/migrate/20231228135538_add_cba_enabled_to_organisations.rb

@@ -0,0 +1,5 @@
+class AddCbaEnabledToOrganisations < ActiveRecord::Migration[7.0]
+  def change
+    add_column :organisations, :cba_enabled, :boolean
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_06_19_161245) do
+ActiveRecord::Schema[7.0].define(version: 2023_12_28_135538) do
   create_table "active_storage_attachments", charset: "utf8", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -96,6 +96,7 @@
     t.datetime "created_at", precision: nil, null: false
     t.datetime "updated_at", precision: nil, null: false
     t.string "service_email"
+    t.boolean "cba_enabled"
     t.index ["name"], name: "index_organisations_on_name", unique: true
   end
 

db/seeds.rb

@@ -120,3 +120,7 @@ def create_user_for_organisations(
 end
 
 MouTemplate.create!
+
+Organisation.all.each do |org|
+  org.update(cba_enabled: false)
+end

spec/features/logging/view_auth_requests_for_an_ip_spec.rb

@@ -9,8 +9,8 @@
     let(:ip) { location.ips.first.address }
     let(:location) { user.organisations.first.locations.first }
     before do
-      create(:organisation, :with_location_and_ip, users: [user])
-      create(:session, siteIP: ip, username: "Aaaaaa")
+      create(:organisation, :with_location_and_ip, users: [user], cba_enabled: true)
+      create(:session, siteIP: ip, username: "Aaaaaa", cert_name: "EAP-TLS")
     end
     describe "when using a link" do
       before do