HHS
diff --git a/‎api/src/legacy_soap_api/grantors/services/get_application_zip_response.py‎
Lines changed: 14 additions & 2 deletions b/‎api/src/legacy_soap_api/grantors/services/get_application_zip_response.py‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎api/src/legacy_soap_api/legacy_soap_api_auth.py‎
Lines changed: 55 additions & 0 deletions b/‎api/src/legacy_soap_api/legacy_soap_api_auth.py‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎api/src/legacy_soap_api/legacy_soap_api_client.py‎
Lines changed: 1 addition & 0 deletions b/‎api/src/legacy_soap_api/legacy_soap_api_client.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/legacy_soap_api/legacy_soap_api_routes.py‎
Lines changed: 4 additions & 1 deletion b/‎api/src/legacy_soap_api/legacy_soap_api_routes.py‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎api/tests/src/db/models/factories.py‎
Lines changed: 1 addition & 1 deletion b/‎api/tests/src/db/models/factories.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/tests/src/legacy_soap_api/test_legacy_soap_api_auth.py‎
Lines changed: 97 additions & 0 deletions b/‎api/tests/src/legacy_soap_api/test_legacy_soap_api_auth.py‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎api/tests/src/legacy_soap_api/test_legacy_soap_api_client.py‎
Lines changed: 63 additions & 2 deletions b/‎api/tests/src/legacy_soap_api/test_legacy_soap_api_client.py‎
Lines changed: 63 additions & 2 deletions
@@ -1,4 +1,6 @@
 import logging
+from src.auth.endpoint_access_util import verify_access
+from src.legacy_soap_api.legacy_soap_api_schemas import SOAPRequest
 import uuid
 
 from botocore.exceptions import ClientError
@@ -8,13 +10,14 @@
 from src.db.models.competition_models import ApplicationSubmission
 from src.legacy_soap_api.grantors import schemas as grantor_schemas
 from src.legacy_soap_api.legacy_soap_api_constants import LegacySoapApiEvent
+from src.legacy_soap_api.legacy_soap_api_auth import validate_certificate, ENDPOINT_PRIVILEGES
 from src.util import file_util
 
 logger = logging.getLogger(__name__)
 
 
 def get_application_zip_response(
-    db_session: db.Session, get_application_zip_request: grantor_schemas.GetApplicationZipRequest
+    db_session: db.Session, soap_request: SOAPRequest, get_application_zip_request: grantor_schemas.GetApplicationZipRequest
 ) -> grantor_schemas.GetApplicationZipResponseSOAPEnvelope:
     xop_data_instance = grantor_schemas.XOPIncludeData(
         **{"@href": f"cid:{uuid.uuid4()}[email protected]"}
@@ -35,10 +38,19 @@ def get_application_zip_response(
         legacy_tracking_number = legacy_tracking_number.split("GRANT")[1]
     application = db_session.execute(
         select(ApplicationSubmission).where(
-            ApplicationSubmission.legacy_tracking_number == int(legacy_tracking_number)
+            ApplicationSubmission.legacy_tracking_number == int(legacy_tracking_number),
         )
     ).scalar()
+
     if application:
+        certificate = validate_certificate(db_session, soap_auth=soap_request.auth, api_name=soap_request.api_name)
+        if soap_request.operation_name in ENDPOINT_PRIVILEGES:
+            verify_access(
+                certificate.user,
+                {ENDPOINT_PRIVILEGES[soap_request.operation_name]},
+                application.application,
+            )
+
         try:
             filestream = file_util.open_stream(application.download_path, mode="rb")
             schema._mtom_file_stream = filestream
 
@@ -9,12 +9,25 @@
 from pydantic import BaseModel
 from requests.adapters import HTTPAdapter
 
+import src.adapters.db as db
+from src.constants.lookup_constants import Privilege
+from src.db.models.user_models import LegacyCertificate
+from src.legacy_soap_api.legacy_soap_api_config import SimplerSoapAPI
 from src.legacy_soap_api.legacy_soap_api_constants import LegacySoapApiEvent
+from src.util.datetime_util import get_now_us_eastern_date
 
 logger = logging.getLogger(__name__)
 
 MTLS_CERT_HEADER_KEY = "X-Amzn-Mtls-Clientcert"
 
+ENDPOINT_PRIVILEGES = dict(
+    GetSubmissionListExpandedRequest=Privilege.LEGACY_AGENCY_VIEWER,
+    GetApplicationRequest=Privilege.LEGACY_AGENCY_GRANT_RETRIEVER,
+    GetApplicationZipRequest=Privilege.LEGACY_AGENCY_GRANT_RETRIEVER,
+    ConfirmApplicationDeliveryRequest=Privilege.LEGACY_AGENCY_GRANT_RETRIEVER,
+    UpdateApplicationInfoReqest=Privilege.LEGACY_AGENCY_ASSIGNER,
+)
+
 
 class SOAPClientCertificateNotConfigured(Exception):
     pass
@@ -100,3 +113,45 @@ def get_soap_client_certificate(urlencoded_cert: str) -> SOAPClientCertificate:
         issuer=cert.issuer.rfc4514_string(),
         serial_number=cert.serial_number,
     )
+
+
+def validate_certificate(
+    db_session: db.Session, soap_auth: SOAPAuth | None, api_name: str
+) -> LegacyCertificate:
+    if not soap_auth:
+        logger.warning(
+            "soap_client_certificate: no soap auth",
+        )
+        raise SOAPClientCertificateLookupError("no soap auth")
+
+    serial_number_str = str(soap_auth.certificate.serial_number)
+    legacy_certificate = (
+        db_session.query(LegacyCertificate)
+        .filter(LegacyCertificate.serial_number == serial_number_str)
+        .first()
+    )
+    extra_data = {"serial_number": serial_number_str}
+
+    if not legacy_certificate:
+        logger.warning(
+            "soap_client_certificate: could not retrieve client cert for serial number",
+            extra=extra_data,
+        )
+        raise SOAPClientCertificateLookupError("could not retrieve client cert for serial number")
+
+    extra_data.update({"legacy_certificate_id": str(legacy_certificate.legacy_certificate_id)})
+    if legacy_certificate.expiration_date <= get_now_us_eastern_date():
+        logger.warning(
+            "soap_client_certificate: certificate is expired",
+            extra=extra_data,
+        )
+        raise SOAPClientCertificateLookupError("certificate is expired")
+
+    if not legacy_certificate.agency and api_name == SimplerSoapAPI.GRANTORS:
+        logger.warning(
+            "soap_client_certificate: certificate does not have agency",
+            extra=extra_data,
+        )
+        raise SOAPClientCertificateLookupError("certificate does not have agency")
+
+    return legacy_certificate
@@ -225,6 +225,7 @@ class SimplerGrantorsS2SClient(BaseSOAPClient):
     def GetApplicationZipRequest(self) -> grantors_schemas.GetApplicationZipResponseSOAPEnvelope:
         return get_application_zip_response(
             db_session=self.db_session,
+            soap_request=self.soap_request,
             get_application_zip_request=grantors_schemas.GetApplicationZipRequest(
                 **self.get_soap_request_dict()
             ),
 
@@ -4,7 +4,10 @@
 
 import src.adapters.db as db
 import src.adapters.db.flask_db as flask_db
-from src.legacy_soap_api.legacy_soap_api_auth import MTLS_CERT_HEADER_KEY, get_soap_auth
+from src.legacy_soap_api.legacy_soap_api_auth import (
+    MTLS_CERT_HEADER_KEY,
+    get_soap_auth,
+)
 from src.legacy_soap_api.legacy_soap_api_blueprint import legacy_soap_api_blueprint
 from src.legacy_soap_api.legacy_soap_api_constants import LegacySoapApiEvent
 from src.legacy_soap_api.legacy_soap_api_proxy import get_proxy_response
 
@@ -3149,7 +3149,7 @@ class Meta:
 
     legacy_certificate_id = Generators.UuidObj
     cert_id = factory.Faker("random_int", min=1000, max=10000000)
-    serial_number = factory.Faker("random_int", min=1000, max=10000000)
+    serial_number = factory.Sequence(lambda n: f"{n}")
     expiration_date = factory.Faker("future_date", end_date="+2y")
     user_id = factory.LazyAttribute(lambda s: s.user.user_id)
     user = factory.SubFactory(UserFactory)
 
@@ -1,3 +1,6 @@
+from datetime import date
+from src.constants.lookup_constants import Privilege
+import uuid
 from unittest.mock import patch
 
 import pytest
@@ -8,6 +11,15 @@
     SOAPClientCertificateLookupError,
     SOAPClientCertificateNotConfigured,
     get_soap_auth,
+    validate_certificate,
+)
+from src.legacy_soap_api.legacy_soap_api_config import SimplerSoapAPI
+from tests.src.db.models.factories import (
+    AgencyFactory,
+    AgencyUserFactory,
+    AgencyUserRoleFactory,
+    LegacyAgencyCertificateFactory,
+    RoleFactory,
 )
 
 MOCK_FINGERPRINT = "123"
@@ -19,6 +31,7 @@
     fingerprint=MOCK_FINGERPRINT,
     serial_number=123,
 )
+AGENCY_CODE = "ABC123XYZ"
 
 
 @patch("src.legacy_soap_api.legacy_soap_api_auth.get_soap_client_certificate")
@@ -47,3 +60,87 @@ def test_client_auth_exceptions():
         SOAPClientCertificateLookupError, match="could not retrieve client cert for serial number"
     ):
         auth.certificate.get_pem({MOCK_FINGERPRINT: "not-an-object"})
+
+
+def test_validate_certificate_raies_error_when_no_legacy_certificate_found(
+    enable_factory_create, fixture_from_file, db_session
+) -> None:
+    soap_auth = SOAPAuth(
+        certificate={
+            "cert": "MOCKED_CERT_STRING_HERE",
+            "serial_number": "7000",
+            "fingerprint": "MOCKED_FINGERPRINT",
+        }
+    )
+    with pytest.raises(
+        SOAPClientCertificateLookupError, match="could not retrieve client cert for serial number"
+    ):
+        validate_certificate(
+            db_session, soap_auth, SimplerSoapAPI.GRANTORS
+        )
+
+
+def test_validate_certificate_raises_error_when_certificate_expired(
+    enable_factory_create, db_session
+) -> None:
+    agency = AgencyFactory.create(agency_code=f"XYZ-{uuid.uuid4()}", is_multilevel_agency=False)
+    legacy_certificate = LegacyAgencyCertificateFactory.create(expiration_date=date(2004, 1, 1), agency=agency)
+    soap_auth = SOAPAuth(
+        certificate={
+            "cert": "MOCKED_CERT_STRING_HERE",
+            "serial_number": f"{legacy_certificate.serial_number}",
+            "fingerprint": "MOCKED_FINGERPRINT",
+        }
+    )
+    with pytest.raises(SOAPClientCertificateLookupError, match="certificate is expired"):
+        validate_certificate(
+            db_session, soap_auth, SimplerSoapAPI.GRANTORS
+        )
+
+
+def test_validate_certificate_raises_error_when_certificate_has_no_agency_when_grantor(
+    enable_factory_create, db_session
+) -> None:
+    legacy_certificate = LegacyAgencyCertificateFactory.create(agency=None, agency_id=None)
+    soap_auth = SOAPAuth(
+        certificate={
+            "cert": "MOCKED_CERT_STRING_HERE",
+            "serial_number": f"{legacy_certificate.serial_number}",
+            "fingerprint": "MOCKED_FINGERPRINT",
+        }
+    )
+    with pytest.raises(SOAPClientCertificateLookupError, match="certificate does not have agency"):
+        validate_certificate(
+            db_session, soap_auth, SimplerSoapAPI.GRANTORS
+        )
+
+
+def test_validate_certificate_does_not_raise_agency_error_when_certificate_has_no_agency_when_applicant(
+    enable_factory_create, db_session
+) -> None:
+    legacy_certificate = LegacyAgencyCertificateFactory.create(agency=None, agency_id=None)
+    soap_auth = SOAPAuth(
+        certificate={
+            "cert": "MOCKED_CERT_STRING_HERE",
+            "serial_number": f"{legacy_certificate.serial_number}",
+            "fingerprint": "MOCKED_FINGERPRINT",
+        }
+    )
+    result = validate_certificate(db_session, soap_auth, SimplerSoapAPI.APPLICANTS)
+    assert result.legacy_certificate_id == legacy_certificate.legacy_certificate_id
+
+
+def test_validate_certificate_raises_error_if_not_soap_auth(
+    enable_factory_create, db_session
+) -> None:
+    agency = AgencyFactory.create(agency_code=f"XYZ-{uuid.uuid4()}", is_multilevel_agency=False)
+    legacy_certificate = LegacyAgencyCertificateFactory.create(agency=agency)
+    agency_user = AgencyUserFactory.create(
+        agency=legacy_certificate.agency, user=legacy_certificate.user
+    )
+    role = RoleFactory(privileges=[Privilege.LEGACY_AGENCY_VIEWER])
+    AgencyUserRoleFactory.create(agency_user=agency_user, role=role)
+    with pytest.raises(SOAPClientCertificateLookupError, match="no soap auth"):
+        validate_certificate(
+            db_session, None, SimplerSoapAPI.GRANTORS
+        )
@@ -1,4 +1,6 @@
 import logging
+from src.constants.lookup_constants import Privilege
+from apiflask import HTTPError
 import uuid
 from collections.abc import Iterator
 from unittest.mock import MagicMock, patch
@@ -24,10 +26,17 @@
 from src.util.datetime_util import parse_grants_gov_date
 from tests.lib.db_testing import cascade_delete_from_db_table
 from tests.src.db.models.factories import (
+    AgencyFactory,
     ApplicationSubmissionFactory,
     CompetitionFactory,
     OpportunityAssistanceListingFactory,
     OpportunityFactory,
+    LegacyAgencyCertificateFactory,
+    AgencyUserFactory,
+    RoleFactory,
+    AgencyUserRoleFactory,
+    ApplicationUserFactory,
+    ApplicationUserRoleFactory,
 )
 from tests.src.legacy_soap_api.soap_request_templates import (
     get_opportunity_list_requests as mock_requests,
@@ -357,10 +366,21 @@ def test_get_simpler_soap_response_when_operation_is_not_get_opportunity_list_re
 
 
 class TestSimplerSOAPGetApplicationZip:
+    @patch("src.legacy_soap_api.grantors.services.get_application_zip_response.validate_certificate")
     def test_get_simpler_soap_response_returns_mtom_xml(
-        self, db_session, enable_factory_create, mock_s3_bucket
+        self, mock_validate_certificate, db_session, enable_factory_create, mock_s3_bucket
     ):
+        agency = AgencyFactory.create(agency_code=f"123-{uuid.uuid4()}")
+        legacy_certificate = LegacyAgencyCertificateFactory.create(agency=agency)
+        mock_validate_certificate.return_value = legacy_certificate
         submission = ApplicationSubmissionFactory.create()
+        agency_user = AgencyUserFactory.create(
+            agency=legacy_certificate.agency, user=legacy_certificate.user
+        )
+        role = RoleFactory.create(privileges=[Privilege.LEGACY_AGENCY_GRANT_RETRIEVER])
+        AgencyUserRoleFactory.create(agency_user=agency_user, role=role)
+        application_user = ApplicationUserFactory.create(application=submission.application, user=legacy_certificate.user)
+        ApplicationUserRoleFactory.create(application_user=application_user, role=role)
         response = requests.get(submission.download_path, timeout=10)
         submission_text = response.content.decode()
         request_xml_bytes = (
@@ -406,11 +426,52 @@ def test_get_simpler_soap_response_returns_mtom_xml(
                 "MIME-Version": "1.0",
             }
 
+    @patch("src.legacy_soap_api.grantors.services.get_application_zip_response.validate_certificate")
+    def test_get_simpler_soap_response_returns_error_if_certificate_user_does_not_have_permissions(
+        self, mock_validate_certificate, db_session, enable_factory_create, mock_s3_bucket
+    ):
+        submission = ApplicationSubmissionFactory.create()
+        request_xml_bytes = (
+            '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" '
+            'xmlns:agen="http://apply.grants.gov/services/AgencyWebServices-V2.0" '
+            'xmlns:gran="http://apply.grants.gov/system/GrantsCommonElements-V1.0">'
+            "<soapenv:Header/>"
+            "<soapenv:Body>"
+            "<agen:GetApplicationZipRequest>"
+            f"<gran:GrantsGovTrackingNumber>{submission.legacy_tracking_number}</gran:GrantsGovTrackingNumber>"
+            "</agen:GetApplicationZipRequest>"
+            "</soapenv:Body>"
+            "</soapenv:Envelope>"
+        ).encode("utf-8")
+        soap_request = SOAPRequest(
+            data=request_xml_bytes,
+            full_path="x",
+            headers={},
+            method="POST",
+            api_name=SimplerSoapAPI.GRANTORS,
+            operation_name="GetApplicationZipRequest",
+        )
+        mock_proxy_response = SOAPResponse(data=b"", status_code=500, headers={})
+        client = SimplerGrantorsS2SClient(soap_request, db_session)
+        with pytest.raises(HTTPError):
+            client.get_simpler_soap_response(mock_proxy_response)
+
+    @patch("src.legacy_soap_api.grantors.services.get_application_zip_response.validate_certificate")
     def test_get_simpler_soap_response_logging_if_downloading_the_file_from_s3_fails(
-        self, db_session, enable_factory_create, caplog
+        self, mock_validate_certificate, db_session, enable_factory_create, caplog
     ):
         caplog.set_level(logging.INFO)
+        agency = AgencyFactory.create(agency_code=f"123-{uuid.uuid4()}")
+        legacy_certificate = LegacyAgencyCertificateFactory.create(agency=agency)
+        mock_validate_certificate.return_value = legacy_certificate
         submission = ApplicationSubmissionFactory.create()
+        agency_user = AgencyUserFactory.create(
+            agency=legacy_certificate.agency, user=legacy_certificate.user
+        )
+        role = RoleFactory.create(privileges=[Privilege.LEGACY_AGENCY_GRANT_RETRIEVER])
+        AgencyUserRoleFactory.create(agency_user=agency_user, role=role)
+        application_user = ApplicationUserFactory.create(application=submission.application, user=legacy_certificate.user)
+        ApplicationUserRoleFactory.create(application_user=application_user, role=role)
         request_xml_bytes = (
             '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" '
             'xmlns:agen="http://apply.grants.gov/services/AgencyWebServices-V2.0" '