Skip to content

Commit

Permalink
Merge pull request #383 from NHSDigital/APM-5429_FinalChanges
Browse files Browse the repository at this point in the history 
Add AAL1 and 2 support for CIS2 auth
  • Loading branch information
@sophieclayton12-nhs
sophieclayton12-nhs authored Aug 28, 2024
2 parents 638197a + 06b5add commit 6de8f5e
Show file tree
Hide file tree
Showing 23 changed files with 622 additions and 804 deletions.
3 changes: 1 addition & 2 deletions azure/azure-pr-pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,7 @@ extends:
jinja_templates:
IDENTITY_PROVIDER_CIS2: cis2-int
IDENTITY_PROVIDER_NHS_LOGIN: nhs-login
VARIABLES_KVM: identity_service_config
VARIABLES_KVM: identity_service_config_int
ENCRYPTED_VARIABLES_KVM: identity-service-variables-encrypted
ENCRYPTED_VARIABLES_KVM_KEY_CLIENT_SECRET: keycloak_client_secret
NUM_RANDOM_LONG_INTS_FOR_STATE: 4
RATELIMITING: ${{ variables.ratelimiting }}
2 changes: 1 addition & 1 deletion e2e/performance/pyproject.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ locust = "^1.1.1"
pyjwt = "^2.0.0"
cryptography = "^3.3.1"

[tool.poetry.dev-dependencies]
[tool.poetry.group.dev.dependencies]
flake8 = "^3.8.3"
black = "^19.10b0"

Expand Down
1 change: 1 addition & 0 deletions e2e/tests/conftest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ def cis2_subject_token_claims():
"c_hash": "bc7zzGkClC3MEiFQ3YhPKg",
"acr": "AAL3_ANY",
"id_assurance_level": int(3),
"authentication_assurance_level": int(3),
"org.forgerock.openidconnect.ops": "-I45NjmMDdMa-aNF2sr9hC7qEGQ",
"s_hash": "LPJNul-wow4m6Dsqxbning",
"azp": "969567331415.apps.national",
Expand Down
66 changes: 66 additions & 0 deletions e2e/tests/logging/test_attach_logging_fields.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,38 @@ def get_token_details(self, token_data):
force_new_token=True,
),
),
# User-restricted CIS2 combined aal2
pytest.param(
{
"auth_type": "user",
"auth_grant_type": "authorization_code",
"auth_level": "aal2",
"auth_provider": "apim-mock-nhs-cis2",
"auth_user_id": "656005750109",
},
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal2",
login_form={"username": "656005750109"},
force_new_token=True,
),
),
# User-restricted CIS2 combined aal1
pytest.param(
{
"auth_type": "user",
"auth_grant_type": "authorization_code",
"auth_level": "aal1",
"auth_provider": "apim-mock-nhs-cis2",
"auth_user_id": "656005750110",
},
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal1",
login_form={"username": "656005750110"},
force_new_token=True,
),
),
# User-restricted CIS2 seperate aal3
pytest.param(
{
Expand All @@ -48,6 +80,40 @@ def get_token_details(self, token_data):
force_new_token=True,
),
),
# User-restricted CIS2 seperate aal2
pytest.param(
{
"auth_type": "user",
"auth_grant_type": "token_exchange",
"auth_level": "aal2",
"auth_provider": "apim-mock-nhs-cis2",
"auth_user_id": "656005750109",
},
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal2",
login_form={"username": "656005750109"},
authentication="separate",
force_new_token=True,
),
),
# User-restricted CIS2 seperate aal1
pytest.param(
{
"auth_type": "user",
"auth_grant_type": "token_exchange",
"auth_level": "aal1",
"auth_provider": "apim-mock-nhs-cis2",
"auth_user_id": "656005750110",
},
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal1",
login_form={"username": "656005750110"},
authentication="separate",
force_new_token=True,
),
),
# User-restricted NHS-login combined P0
pytest.param(
{
Expand Down
95 changes: 44 additions & 51 deletions e2e/tests/logging/test_splunk_logging.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

from uuid import uuid4

from e2e.tests.utils.config import MOCK_CIS2_USERNAMES
from e2e.tests.utils.helpers import (
create_client_assertion,
create_subject_token,
Expand All @@ -16,36 +17,55 @@
class TestSplunkLoggingFields:
"""Test suite for testing logging fields are sent to splunk"""

# Create a list of pytest.param for each combination of username and level for combined auth
combined_auth_params = [
pytest.param(
False, username, "apim-mock-nhs-cis2", level,
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level=level,
login_form={"username": username},
force_new_token=True,
),
)
for level, usernames in MOCK_CIS2_USERNAMES.items()
for username in usernames
]

# Create a list of pytest.param for each combination of username and level for separate auth
separate_auth_params = [
pytest.param(
username, level,
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level=level,
login_form={"username": username},
authentication="separate",
force_new_token=True,
),
)
for level, usernames in MOCK_CIS2_USERNAMES.items()
for username in usernames
]

@pytest.mark.happy_path
@pytest.mark.logging
@pytest.mark.parametrize(
"is_nhs_login,username,provider",
"is_nhs_login,username,provider,level", combined_auth_params +
[
# CIS2
pytest.param(
False,
"656005750104",
"apim-mock-nhs-cis2",
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal3",
login_form={"username": "656005750104"},
force_new_token=True,
),
),
# NHS Login
pytest.param(
True,
"9912003071",
"apim-mock-nhs-login",
"P9",
marks=pytest.mark.nhsd_apim_authorization(
access="patient",
level="P9",
login_form={"username": "9912003071"},
force_new_token=True,
),
),
],
]
)
def test_splunk_fields_for_authorize_endpoint(
self,
Expand All @@ -55,6 +75,7 @@ def test_splunk_fields_for_authorize_endpoint(
is_nhs_login,
username,
provider,
level
):
session_name = str(uuid4())
header_filters = {"trace_id": session_name}
Expand Down Expand Up @@ -82,6 +103,7 @@ def test_splunk_fields_for_authorize_endpoint(
assert auth_meta["auth_type"] == "user"
assert auth_meta["grant_type"] == "authorization_code"
assert auth_meta["level"] == "" # level is unknown when hitting /authorize

assert auth_meta["provider"] == provider

auth_user = auth["user"]
Expand All @@ -90,21 +112,8 @@ def test_splunk_fields_for_authorize_endpoint(
@pytest.mark.happy_path
@pytest.mark.logging
@pytest.mark.parametrize(
"is_nhs_login,username,provider,level",
"is_nhs_login,username,provider,level", combined_auth_params +
[
# CIS2
pytest.param(
False,
"656005750104",
"apim-mock-nhs-cis2",
"aal3",
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal3",
login_form={"username": "656005750104"},
force_new_token=True,
),
),
# NHS Login
pytest.param(
True,
Expand All @@ -118,7 +127,7 @@ def test_splunk_fields_for_authorize_endpoint(
force_new_token=True,
),
),
],
]
)
def test_splunk_fields_for_callback_endpoint(
self,
Expand Down Expand Up @@ -165,21 +174,8 @@ def test_splunk_fields_for_callback_endpoint(
@pytest.mark.happy_path
@pytest.mark.logging
@pytest.mark.parametrize(
"is_nhs_login,username,provider,level",
"is_nhs_login,username,provider,level", combined_auth_params +
[
# CIS2
pytest.param(
False,
"656005750104",
"apim-mock-nhs-cis2",
"aal3",
marks=pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal3",
login_form={"username": "656005750104"},
force_new_token=True,
),
),
# NHS Login
pytest.param(
True,
Expand Down Expand Up @@ -243,6 +239,7 @@ def test_splunk_fields_for_token_endpoint_authorization_code(
assert auth_meta["auth_type"] == "user"
assert auth_meta["grant_type"] == "authorization_code"
assert auth_meta["level"] == level

assert auth_meta["provider"] == provider

auth_user = auth["user"]
Expand Down Expand Up @@ -298,13 +295,7 @@ def test_splunk_fields_for_token_endpoint_client_credentials(

@pytest.mark.happy_path
@pytest.mark.logging
@pytest.mark.nhsd_apim_authorization(
access="healthcare_worker",
level="aal3",
login_form={"username": "aal3"},
authentication="separate",
force_new_token=True,
)
@pytest.mark.parametrize("username, level", separate_auth_params)
def test_splunk_fields_for_token_endpoint_token_exchange_cis2(
self,
nhsd_apim_proxy_url,
Expand All @@ -313,6 +304,8 @@ def test_splunk_fields_for_token_endpoint_token_exchange_cis2(
token_data_token_exchange,
_jwt_keys,
cis2_subject_token_claims,
username,
level
):
token_data_token_exchange["client_assertion"] = create_client_assertion(
claims, _jwt_keys["private_key_pem"]
Expand Down
Loading

0 comments on commit 6de8f5e

Please sign in to comment.