Chore: [AEA-3864] - Enable OAuth authorisation for proxy

.github/scripts/deploy_api.sh

@@ -17,6 +17,12 @@ else
 fi
 echo "Proxy instance: $instance"
 
+# Find and replace the title
+title=$(jq -r '.info.title' "$SPEC_PATH")
+if [[ $STACK_NAME == psu-pr-* ]]; then
+    jq --arg title "[PR-$pr_id] $title" '.info.title = $title' "$SPEC_PATH" > temp.json && mv temp.json "$SPEC_PATH"
+fi
+
 # Find and replace the specification version number 
 jq --arg version "$VERSION_NUMBER" '.info.version = $version' "$SPEC_PATH" > temp.json && mv temp.json "$SPEC_PATH"
 
@@ -30,6 +36,12 @@ else
     jq --arg env "$APIGEE_ENVIRONMENT" --arg inst "$instance" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "$SPEC_PATH" > temp.json && mv temp.json "$SPEC_PATH"
 fi
 
+# Find and replace securitySchemes
+if [[ $APIGEE_ENVIRONMENT == prod ]]; then
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "$SPEC_PATH" > temp.json && mv temp.json "$SPEC_PATH"
+else
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "$SPEC_PATH" > temp.json && mv temp.json "$SPEC_PATH"
+fi
 # Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager
 proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:ProxgenPrivateKey'].Value" --output text)
 client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientKeySecret'].Value" --output text)

.github/workflows/sam_package_code.yml

@@ -55,7 +55,7 @@ jobs:
           cp .tool-versions ~/
           rm -rf .aws-sam
           export PATH=$PATH:$PWD/node_modules/.bin
-          make publish
+          make build-specification
           make sam-build
           cp Makefile .aws-sam/build/
           cp samconfig_package_and_deploy.toml .aws-sam/build/

Makefile

@@ -120,7 +120,6 @@ test: compile
 	npm run test --workspace packages/updatePrescriptionStatus
 	npm run test --workspace packages/gsul
 	npm run test --workspace packages/sandbox
-	npm run test --workspace packages/specification
 	npm run test --workspace packages/statusLambda
 
 clean:
@@ -139,10 +138,8 @@ deep-clean: clean
 	find . -name 'node_modules' -type d -prune -exec rm -rf '{}' +
 	poetry env remove --all
 
-publish:
-	npm run resolve --workspace packages/specification 2> /dev/null
-	npm run compile --workspace packages/specification 2> /dev/null
-	npm run replace-components --workspace packages/specification 2> /dev/null
+build-specification:
+	$(MAKE) --directory=packages/specification build
 
 check-licenses: check-licenses-node check-licenses-python
 

SAMtemplates/apis/main.yaml

@@ -1,4 +1,4 @@
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: "2010-09-09"
 Transform: AWS::Serverless-2016-10-31
 Description: |
   PSU API's and related resources
@@ -7,32 +7,32 @@ Parameters:
   StackName:
     Type: String
     Default: none
-  
+
   EnableMutualTLS:
     Type: String
-  
+
   TruststoreVersion:
     Type: String
-  
+
   UpdatePrescriptionStatusStateMachineName:
     Type: String
     Default: none
-  
+
   UpdatePrescriptionStatusStateMachineArn:
     Type: String
     Default: none
 
-  StatusLambdaFunctionName:
+  StatusFunctionName:
     Type: String
     Default: none
 
-  StatusLambdaFunctionArn:
+  StatusFunctionArn:
     Type: String
     Default: none
 
   LogRetentionInDays:
     Type: Number
-  
+
   EnableSplunk:
     Type: String
 
@@ -77,7 +77,7 @@ Resources:
         - - !Ref StackName
           - !ImportValue eps-route53-resources:EPS-domain
       RegionalCertificateArn: !Ref GenerateCertificate
-      EndpointConfiguration: 
+      EndpointConfiguration:
         Types:
           - REGIONAL
       SecurityPolicy: TLS_1_2
@@ -90,7 +90,7 @@ Resources:
               - !Select
                 - 5
                 - !Split
-                  - ':'
+                  - ":"
                   - !ImportValue account-resources:TrustStoreBucket
               - psu-truststore.pem
           - !Ref AWS::NoValue
@@ -204,15 +204,15 @@ Resources:
 
                 $payload.Payload.body
       MethodResponses:
-        - StatusCode: '200'
+        - StatusCode: "200"
 
   StatusLambdaMethodResource:
     Type: AWS::ApiGateway::Resource
     Properties:
       RestApiId: !Ref RestApiGateway
       ParentId: !GetAtt RestApiGateway.RootResourceId
       PathPart: _status
-  
+
   StatusLambdaMethod:
     Type: AWS::ApiGateway::Method
     Properties:
@@ -224,7 +224,7 @@ Resources:
         Type: AWS_PROXY
         Credentials: !GetAtt RestApiGatewayResources.Outputs.ApiGwRoleArn
         IntegrationHttpMethod: POST
-        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${StatusLambdaFunctionArn}/invocations
+        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${StatusFunctionArn}/invocations
 
   # *********************************************************************
   # if you add a new endpoint, then change the name of this resource
@@ -250,7 +250,7 @@ Resources:
       AccessLogSetting:
         DestinationArn: !GetAtt RestApiGatewayResources.Outputs.ApiGwAccessLogsArn
         Format: '{ "requestTime": "$context.requestTime", "apiId": "$context.apiId", "accountId": "$context.accountId", "resourcePath": "$context.resourcePath", "stage": "$context.stage", "requestId": "$context.requestId", "extendedRequestId": "$context.extendedRequestId", "status": "$context.status", "httpMethod": "$context.httpMethod", "protocol": "$context.protocol", "path": "$context.path", "responseLatency": "$context.responseLatency", "responseLength": "$context.responseLength", "domainName": "$context.domainName", "identity": { "sourceIp": "$context.identity.sourceIp", "userAgent": "$context.identity.userAgent", "clientCert":{ "subjectDN": "$context.identity.clientCert.subjectDN", "issuerDN": "$context.identity.clientCert.issuerDN", "serialNumber": "$context.identity.clientCert.serialNumber", "validityNotBefore": "$context.identity.clientCert.validity.notBefore", "validityNotAfter": "$context.identity.clientCert.validity.notAfter" }}, "integration":{ "error": "$context.integration.error", "integrationStatus": "$context.integration.integrationStatus", "latency": "$context.integration.latency", "requestId": "$context.integration.requestId", "status": "$context.integration.status" }}'
-  
+
   RestApiDomainMapping:
     Type: AWS::ApiGateway::BasePathMapping
     Properties:
@@ -264,9 +264,9 @@ Resources:
       Location: api_resources.yaml
       Parameters:
         AdditionalPolicies: !Join
-          - ','
+          - ","
           - - Fn::ImportValue: !Sub ${StackName}:state-machines:${UpdatePrescriptionStatusStateMachineName}:ExecuteStateMachinePolicy
-            - Fn::ImportValue: !Sub ${StackName}:functions:${StatusLambdaFunctionName}:ExecuteLambdaPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:functions:${StatusFunctionName}:ExecuteLambdaPolicyArn
         ApiName: !Sub ${StackName}-apigw
         LogRetentionInDays: !Ref LogRetentionInDays
         EnableSplunk: !Ref EnableSplunk

SAMtemplates/functions/main.yaml

@@ -119,13 +119,13 @@ Resources:
         SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
         SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream
 
-  StatusLambdaFunction:
+  Status:
     Type: AWS::Serverless::Function
     Properties:
-      FunctionName: !Sub ${StackName}-statusLambda
+      FunctionName: !Sub ${StackName}-status
       CodeUri: ../../packages
       Handler: statusLambda.handler
-      Role: !GetAtt StatusLambdaFunctionResources.Outputs.LambdaRoleArn
+      Role: !GetAtt StatusResources.Outputs.LambdaRoleArn
       Environment:
         Variables:
           VERSION_NUMBER: !Ref VersionNumber
@@ -140,14 +140,14 @@ Resources:
         EntryPoints:
           - statusLambda/src/statusLambda.ts
 
-  StatusLambdaFunctionResources:
+  StatusResources:
     Type: AWS::Serverless::Application
     Properties:
       Location: lambda_resources.yaml
       Parameters:
         StackName: !Ref StackName
-        LambdaName: !Sub ${StackName}-statusLambda
-        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-statusLambda
+        LambdaName: !Sub ${StackName}-status
+        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-status
         IncludeAdditionalPolicies: true
         AdditionalPolicies: !Join
           - ","
@@ -177,10 +177,10 @@ Outputs:
     Export:
       Name: !Sub ${StackName}:functions:GetStatusUpdates:FunctionArn
 
-  StatusLambdaFunctionName:
+  StatusFunctionName:
     Description: The function name of the Status lambda
-    Value: !Ref  StatusLambdaFunction
-  
-  StatusLambdaFunctionArn:
+    Value: !Ref Status
+
+  StatusFunctionArn:
     Description: The function ARN of the Status lambda
-    Value: !GetAtt  StatusLambdaFunction.Arn
+    Value: !GetAtt Status.Arn

SAMtemplates/main_template.yaml

@@ -79,8 +79,8 @@ Resources:
         TruststoreVersion: !Ref TruststoreVersion
         UpdatePrescriptionStatusStateMachineName: !GetAtt StateMachines.Outputs.UpdatePrescriptionStatusStateMachineName
         UpdatePrescriptionStatusStateMachineArn: !GetAtt StateMachines.Outputs.UpdatePrescriptionStatusStateMachineArn
-        StatusLambdaFunctionName: !GetAtt Functions.Outputs.StatusLambdaFunctionName
-        StatusLambdaFunctionArn: !GetAtt Functions.Outputs.StatusLambdaFunctionArn
+        StatusFunctionName: !GetAtt Functions.Outputs.StatusFunctionName
+        StatusFunctionArn: !GetAtt Functions.Outputs.StatusFunctionArn
         LogRetentionInDays: !Ref LogRetentionInDays
         EnableSplunk: !Ref EnableSplunk
 

packages/specification/Makefile

@@ -0,0 +1,15 @@
+SHELL=/bin/bash -euo pipefail
+
+.PHONY: install build test publish release clean
+
+install:
+	npm ci
+
+clean:
+	rm -rf dist/
+
+build:
+	mkdir -p dist
+	npm run lint
+	npm run resolve
+	ls -la dist

packages/specification/eps-prescription-status-update-api.yaml

@@ -213,11 +213,11 @@ paths:
               example:
                 $ref: examples/error-ods-code.json
       security:
-        - app-level0: []
+        - app-level3: []
 components:
   securitySchemes:
-    app-level0:
-      $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0
+    app-level3:
+      $ref: https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3
   parameters:
     BearerAuthorisation:
       in: header
@@ -295,13 +295,15 @@ components:
       $ref: "schemas/components/ResponseBundle.yaml"
     OperationOutcome:
       $ref: schemas/resources/OperationOutcome.yaml
+security:
+  - app-level3: []
 x-nhsd-apim:
   temporary: false
   monitoring: false
   access:
     - title: Application Restricted
       grants:
-        app-level0: []
+        app-level3: []
   target:
     type: external
     healthcheck: /_status

packages/specification/package.json

@@ -7,10 +7,7 @@
     "unit": "POWERTOOLS_DEV=true NODE_OPTIONS=--experimental-vm-modules jest --no-cache --coverage",
     "lint": "swagger-cli validate eps-prescription-status-update-api.yaml",
     "resolve": "swagger-cli bundle eps-prescription-status-update-api.yaml -r -o dist/eps-prescription-status-update-api.resolved.json",
-    "replace-components": "node lib/src/replaceComponents.js",
-    "compile": "tsc",
     "clean": "rm -rf lib coverage",
-    "test": "npm run clean && npm run resolve && npm run compile && npm run replace-components && npm run unit",
     "check-licenses": "license-checker --failOn GPL --failOn LGPL --start ../.."
   },
   "author": "NHS Digital",