AAL2 Changes

azure/azure-pr-pipeline.yml

@@ -70,8 +70,7 @@ extends:
         jinja_templates:
           IDENTITY_PROVIDER_CIS2: cis2-int
           IDENTITY_PROVIDER_NHS_LOGIN: nhs-login
-          VARIABLES_KVM: identity_service_config
+          VARIABLES_KVM: identity_service_config_int
           ENCRYPTED_VARIABLES_KVM: identity-service-variables-encrypted
-          ENCRYPTED_VARIABLES_KVM_KEY_CLIENT_SECRET: keycloak_client_secret
           NUM_RANDOM_LONG_INTS_FOR_STATE: 4
           RATELIMITING: ${{ variables.ratelimiting }}

e2e/performance/pyproject.toml

@@ -11,7 +11,7 @@ locust = "^1.1.1"
 pyjwt = "^2.0.0"
 cryptography = "^3.3.1"
 
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 flake8 = "^3.8.3"
 black = "^19.10b0"
 

e2e/tests/conftest.py

@@ -104,6 +104,7 @@ def cis2_subject_token_claims():
         "c_hash": "bc7zzGkClC3MEiFQ3YhPKg",
         "acr": "AAL3_ANY",
         "id_assurance_level": int(3),
+        "authentication_assurance_level": int(3),
         "org.forgerock.openidconnect.ops": "-I45NjmMDdMa-aNF2sr9hC7qEGQ",
         "s_hash": "LPJNul-wow4m6Dsqxbning",
         "azp": "969567331415.apps.national",

e2e/tests/logging/test_attach_logging_fields.py

@@ -31,6 +31,38 @@ def get_token_details(self, token_data):
                     force_new_token=True,
                 ),
             ),
+            # User-restricted CIS2 combined aal2
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "authorization_code",
+                    "auth_level": "aal2",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750109",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal2",
+                    login_form={"username": "656005750109"},
+                    force_new_token=True,
+                ),
+            ),
+            # User-restricted CIS2 combined aal1
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "authorization_code",
+                    "auth_level": "aal1",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750110",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal1",
+                    login_form={"username": "656005750110"},
+                    force_new_token=True,
+                ),
+            ),
             # User-restricted CIS2 seperate aal3
             pytest.param(
                 {
@@ -48,6 +80,40 @@ def get_token_details(self, token_data):
                     force_new_token=True,
                 ),
             ),
+            # User-restricted CIS2 seperate aal2
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "token_exchange",
+                    "auth_level": "aal2",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750109",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal2",
+                    login_form={"username": "656005750109"},
+                    authentication="separate",
+                    force_new_token=True,
+                ),
+            ),
+            # User-restricted CIS2 seperate aal1
+            pytest.param(
+                {
+                    "auth_type": "user",
+                    "auth_grant_type": "token_exchange",
+                    "auth_level": "aal1",
+                    "auth_provider": "apim-mock-nhs-cis2",
+                    "auth_user_id": "656005750110",
+                },
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal1",
+                    login_form={"username": "656005750110"},
+                    authentication="separate",
+                    force_new_token=True,
+                ),
+            ),
             # User-restricted NHS-login combined P0
             pytest.param(
                 {

e2e/tests/logging/test_splunk_logging.py

@@ -3,6 +3,7 @@
 
 from uuid import uuid4
 
+from e2e.tests.utils.config import MOCK_CIS2_USERNAMES
 from e2e.tests.utils.helpers import (
     create_client_assertion,
     create_subject_token,
@@ -15,37 +16,59 @@
 
 class TestSplunkLoggingFields:
     """Test suite for testing logging fields are sent to splunk"""
+    # We are on our second generation of mock identity provider for
+    # healthcare_worker access (CIS2). This allows you to log-in using a
+    # username.
+
+    # Create a list of pytest.param for each combination of username and level for combined auth
+    combined_auth_params = [
+        pytest.param(
+           False, username, "apim-mock-nhs-cis2", level,
+           marks=pytest.mark.nhsd_apim_authorization(
+                access="healthcare_worker",
+                level=level,
+                login_form={"username": username},
+                force_new_token=True,
+            ),
+        )
+        for level, usernames in MOCK_CIS2_USERNAMES.items()
+        for username in usernames
+    ]
+
+    # Create a list of pytest.param for each combination of username and level for separate auth
+    separate_auth_params = [
+        pytest.param(
+            username, level,
+            marks=pytest.mark.nhsd_apim_authorization(
+                access="healthcare_worker",
+                level=level,
+                login_form={"username": username},
+                authentication="separate",
+                force_new_token=True,
+            ),
+        )
+        for level, usernames in MOCK_CIS2_USERNAMES.items()
+        for username in usernames
+    ]
 
     @pytest.mark.happy_path
     @pytest.mark.logging
     @pytest.mark.parametrize(
-        "is_nhs_login,username,provider",
+        "is_nhs_login,username,provider,level", combined_auth_params +
         [
-            # CIS2
-            pytest.param(
-                False,
-                "656005750104",
-                "apim-mock-nhs-cis2",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
-                    force_new_token=True,
-                ),
-            ),
-            # NHS Login
             pytest.param(
                 True,
                 "9912003071",
                 "apim-mock-nhs-login",
+                "P9",
                 marks=pytest.mark.nhsd_apim_authorization(
                     access="patient",
                     level="P9",
                     login_form={"username": "9912003071"},
                     force_new_token=True,
                 ),
             ),
-        ],
+        ]
     )
     def test_splunk_fields_for_authorize_endpoint(
         self,
@@ -55,6 +78,7 @@ def test_splunk_fields_for_authorize_endpoint(
         is_nhs_login,
         username,
         provider,
+        level
     ):
         session_name = str(uuid4())
         header_filters = {"trace_id": session_name}
@@ -82,6 +106,7 @@ def test_splunk_fields_for_authorize_endpoint(
         assert auth_meta["auth_type"] == "user"
         assert auth_meta["grant_type"] == "authorization_code"
         assert auth_meta["level"] == ""  # level is unknown when hitting /authorize
+
         assert auth_meta["provider"] == provider
 
         auth_user = auth["user"]
@@ -90,21 +115,8 @@ def test_splunk_fields_for_authorize_endpoint(
     @pytest.mark.happy_path
     @pytest.mark.logging
     @pytest.mark.parametrize(
-        "is_nhs_login,username,provider,level",
+        "is_nhs_login,username,provider,level", combined_auth_params +
         [
-            # CIS2
-            pytest.param(
-                False,
-                "656005750104",
-                "apim-mock-nhs-cis2",
-                "aal3",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
-                    force_new_token=True,
-                ),
-            ),
             # NHS Login
             pytest.param(
                 True,
@@ -118,7 +130,7 @@ def test_splunk_fields_for_authorize_endpoint(
                     force_new_token=True,
                 ),
             ),
-        ],
+        ]
     )
     def test_splunk_fields_for_callback_endpoint(
         self,
@@ -165,21 +177,8 @@ def test_splunk_fields_for_callback_endpoint(
     @pytest.mark.happy_path
     @pytest.mark.logging
     @pytest.mark.parametrize(
-        "is_nhs_login,username,provider,level",
+        "is_nhs_login,username,provider,level", combined_auth_params +
         [
-            # CIS2
-            pytest.param(
-                False,
-                "656005750104",
-                "apim-mock-nhs-cis2",
-                "aal3",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
-                    force_new_token=True,
-                ),
-            ),
             # NHS Login
             pytest.param(
                 True,
@@ -243,6 +242,7 @@ def test_splunk_fields_for_token_endpoint_authorization_code(
         assert auth_meta["auth_type"] == "user"
         assert auth_meta["grant_type"] == "authorization_code"
         assert auth_meta["level"] == level
+
         assert auth_meta["provider"] == provider
 
         auth_user = auth["user"]
@@ -298,13 +298,7 @@ def test_splunk_fields_for_token_endpoint_client_credentials(
 
     @pytest.mark.happy_path
     @pytest.mark.logging
-    @pytest.mark.nhsd_apim_authorization(
-        access="healthcare_worker",
-        level="aal3",
-        login_form={"username": "aal3"},
-        authentication="separate",
-        force_new_token=True,
-    )
+    @pytest.mark.parametrize("username, level", separate_auth_params)
     def test_splunk_fields_for_token_endpoint_token_exchange_cis2(
         self,
         nhsd_apim_proxy_url,
@@ -313,6 +307,8 @@ def test_splunk_fields_for_token_endpoint_token_exchange_cis2(
         token_data_token_exchange,
         _jwt_keys,
         cis2_subject_token_claims,
+        username,
+        level
     ):
         token_data_token_exchange["client_assertion"] = create_client_assertion(
             claims, _jwt_keys["private_key_pem"]