Resolve Client Cred Test

NHSDigital · Aug 9, 2024 · 84aceec · 84aceec
1 parent 638197a
commit 84aceec
Show file tree

Hide file tree

Showing 8 changed files with 301 additions and 593 deletions.
diff --git a/e2e/tests/logging/test_attach_logging_fields.py b/e2e/tests/logging/test_attach_logging_fields.py
@@ -30,6 +30,38 @@ def get_token_details(self, token_data):
                     login_form={"username": "656005750104"},
                     force_new_token=True,
                 ),
+            ),
+             # User-restricted CIS2 combined aal2
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "authorization_code",
+                    "auth_level": "aal2",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750109",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal2",
+                    login_form={"username": "656005750109"},
+                    force_new_token=True,
+                ),
+            ),
+            # User-restricted CIS2 combined aal1
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "authorization_code",
+                    "auth_level": "aal1",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750110",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal1",
+                    login_form={"username": "656005750110"},
+                    force_new_token=True,
+                ),
             ),
             # User-restricted CIS2 seperate aal3
             pytest.param(
@@ -47,6 +79,40 @@ def get_token_details(self, token_data):
                     authentication="separate",
                     force_new_token=True,
                 ),
+            ),
+             # User-restricted CIS2 seperate aal2
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "token_exchange",
+                    "auth_level": "aal2",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750109",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal2",
+                    login_form={"username": "656005750109"},
+                    authentication="separate",
+                    force_new_token=True,
+                ),
+            ),
+            # User-restricted CIS2 seperate aal1
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "token_exchange",
+                    "auth_level": "aal1",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750110",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal1",
+                    login_form={"username": "656005750110"},
+                    authentication="separate",
+                    force_new_token=True,
+                ),
             ),
             # User-restricted NHS-login combined P0
             pytest.param(

diff --git a/poetry.lock b/poetry.lock
diff --git a/proxies/live/apiproxy/policies/OAuthV2.GenerateAccessToken.xml b/proxies/live/apiproxy/policies/OAuthV2.GenerateAccessToken.xml
@@ -17,6 +17,7 @@
         <Attribute name="id_token-subject" ref="jwt.DecodeJWT.FromExternalIdToken.claim.subject" display="true"/>
         <Attribute name="id_token-issuer" ref="jwt.DecodeJWT.FromExternalIdToken.claim.issuer" display="true"/>
         <Attribute name="id_token-acr" ref="jwt.DecodeJWT.FromExternalIdToken.claim.acr" display="true"/>
+        <Attribute name="id_token-authentication_assurance_level" ref="jwt.DecodeJWT.FromExternalIdToken.claim.authentication_assurance_level" display="true"/>
         <Attribute name="id_token-amr" ref="jwt.DecodeJWT.FromExternalIdToken.claim.amr" display="true"/>
         <Attribute name="id_token-id-assurance-level" ref="jwt.DecodeJWT.FromExternalIdToken.claim.id_assurance_level" display="true"/>
         <Attribute name="id_token-identity-proofing-level" ref="jwt.DecodeJWT.FromExternalIdToken.claim.identity_proofing_level" display="true"/>

diff --git a/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml b/proxies/live/apiproxy/policies/OAuthV2.TokenExchangeGenerateAccessTokenFilteredScopes.xml
@@ -22,6 +22,7 @@
         <Attribute name="id_token" display="true" ref="request.formparam.subject_token" />
         <Attribute name="id_token-issuer" ref="jwt.VerifyJWT.SubjectToken.claim.issuer" display="true" />
         <Attribute name="id_token-acr" ref="jwt.VerifyJWT.SubjectToken.claim.acr" display="true" />
+        <Attribute name="id_token-authentication_assurance_level" ref="jwt.VerifyJWT.SubjectToken.claim.authentication_assurance_level" display="true"/>
         <Attribute name="id_token-amr" ref="jwt.VerifyJWT.SubjectToken.claim.amr" display="true" />
         <Attribute name="id_token-id-assurance-level" ref="jwt.VerifyJWT.SubjectToken.claim.id_assurance_level" display="true" />
         <Attribute name="id_token-identity-proofing-level" ref="jwt.VerifyJWT.SubjectToken.claim.identity_proofing_level" display="true"/>

diff --git a/proxies/live/apiproxy/resources/jsc/FilterScopesTokenExchange.js b/proxies/live/apiproxy/resources/jsc/FilterScopesTokenExchange.js
@@ -1,8 +1,8 @@
 var api_product_scopes = String(context.getVariable('original_scope'));
 var idTokenIssuer = context.getVariable('idTokenIssuer');
 if (idTokenIssuer == "nhs-cis2") {
-    var id_token_acr = context.getVariable('jwt.DecodeJWT.FromSubjectTokenFormParam.decoded.claim.acr');
-    id_token_acr = ':' + id_token_acr.slice(0, 4).toLowerCase() + ':';
+    var id_token_acr = context.getVariable('jwt.DecodeJWT.FromSubjectTokenFormParam.decoded.claim.authentication_assurance_level');
+    id_token_acr = ':aal' + id_token_acr + ':';
 }
 else {
     var id_token_acr = context.getVariable('jwt.DecodeJWT.FromSubjectTokenFormParam.decoded.claim.identity_proofing_level');

diff --git a/proxies/live/apiproxy/resources/jsc/filter-user-restricted-scopes.js b/proxies/live/apiproxy/resources/jsc/filter-user-restricted-scopes.js
@@ -5,8 +5,8 @@ if(idp == 'nhs-login'){
     id_token_acr = ':' + id_token_acr.slice(0, 2) + ':'; 
 }
 else{
-    var id_token_acr = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.decoded.claim.acr');
-    id_token_acr = ':' + id_token_acr.slice(0, 4).toLowerCase() + ':';
+    var id_token_acr = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.decoded.claim.authentication_assurance_level');
+    id_token_acr = ':aal' + id_token_acr + ':';
 }
 
 var api_product_scopes = String(context.getVariable('original_scope'));

diff --git a/proxies/live/apiproxy/resources/jsc/set-logging-fields.js b/proxies/live/apiproxy/resources/jsc/set-logging-fields.js
@@ -19,8 +19,7 @@ if (grant_type === 'authorization_code' || pathsuffix === '/authorize' || pathsu
       level = getLevel(proofing_level)
       user_id = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.claim.nhs_number')
     } else {
-      claim_acr = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.claim.acr')
-
+      claim_acr = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.claim.authentication_assurance_level')
       level = getLevel(claim_acr)
       user_id = context.getVariable('jwt.DecodeJWT.FromExternalIdToken.claim.subject')
     }
@@ -95,9 +94,15 @@ function getLevel(level) {
   if (level) {
     level = level.toLowerCase()
 
-    if (level.includes('aal3')) {
+    if (level === '3' || level.includes('aal3')) {
       return 'aal3'
     }
+    if (level === '2' || level.includes('aal2')) {
+      return 'aal2'
+    }
+    if (level === '1' || level.includes('aal1')) {
+      return 'aal1'
+    }
     if (level.includes('level3')) {
       return 'level3'
     }

diff --git a/pyproject.toml b/pyproject.toml
@@ -19,10 +19,10 @@ beautifulsoup4 = "^4.10.0"
 selenium = "^4.0.0"
 pytest-xdist = {extras = ["psutil"], version = "^2.4.0"}
 pytest-custom-exit-code = "^0.3.0"
-pytest-nhsd-apim = "^3.3.2"
+pytest-nhsd-apim = "^3.4.2"
 
 
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 pyyaml = "^5.2"
 docopt = "^0.6.2"
 jsonpath-rw = "^1.4.0"
@@ -35,16 +35,15 @@ jinja2 = "^2.11.1"
 bandit = "^1.6.2"
 autopep8 = "^1.5.4"
 requests = "^2.25.0"
-pytest = "^6.1.2"
+pytest = "^8.3.2"
 aiohttp = "^3.7.3"
 pytest-asyncio = "^0.14.0"
 coverage = "^5.3"
 pytest-xdist = "^2.1.0"
 pytest-sugar = "^0.9.4"
-api-test-utils = {url = "https://github.com/NHSDigital/apim-test-utils/releases/download/v1.1.35-alpha/api_test_utils-1.1.35a0-py3-none-any.whl"}
 python-dotenv = "^0.17.1"
 PyJWT = "^2.3.0"
-cryptography = "^36.0.1"
-pytest-docker = "^0.10.3"
+cryptography = "^43.0.0"
+pytest-docker = "^3.1.1"
 
 [tool.poetry.scripts]