AAL2 Changes

e2e/tests/logging/test_attach_logging_fields.py

@@ -170,4 +170,4 @@ def test_access_token_fields_for_logging(
         token_attributes = self.get_token_details(token_data)
 
         for attribute, _ in expected_token_attributes.items():
-            assert token_attributes[attribute] == expected_token_attributes[attribute]
+            assert token_attributes[attribute] == expected_token_attributes[attribute]

e2e/tests/logging/test_splunk_logging.py

@@ -15,6 +15,14 @@
 
 class TestSplunkLoggingFields:
     """Test suite for testing logging fields are sent to splunk"""
+    # We are on our second generation of mock identity provider for
+    # healthcare_worker access (CIS2). This allows you to log-in using a
+    # username.
+    MOCK_CIS2_USERNAMES = {
+     "aal1": ["656005750110"],
+     "aal2": ["656005750109", "656005750111", "656005750112"],
+     "aal3": ["656005750104", "656005750105", "656005750106"],
+    }
 
     @pytest.mark.happy_path
     @pytest.mark.logging
@@ -24,15 +32,24 @@ class TestSplunkLoggingFields:
             # CIS2
             pytest.param(
                 False,
-                "656005750104",
+                username,
                 "apim-mock-nhs-cis2",
                 marks=pytest.mark.nhsd_apim_authorization(
                     access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
+                    level=level,
+                    login_form={"username": username},
                     force_new_token=True,
                 ),
-            ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
+    )
+    @pytest.mark.happy_path
+    @pytest.mark.logging
+    @pytest.mark.parametrize(
+        "is_nhs_login,username,provider",
+        [
             # NHS Login
             pytest.param(
                 True,
@@ -95,16 +112,25 @@ def test_splunk_fields_for_authorize_endpoint(
             # CIS2
             pytest.param(
                 False,
-                "656005750104",
+                username,
                 "apim-mock-nhs-cis2",
-                "aal3",
+                level,
                 marks=pytest.mark.nhsd_apim_authorization(
                     access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
+                    level=level,
+                    login_form={"username": username},
                     force_new_token=True,
                 ),
-            ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ]
+    )
+    @pytest.mark.happy_path
+    @pytest.mark.logging
+    @pytest.mark.parametrize(
+        "is_nhs_login,username,provider,level",
+        [
             # NHS Login
             pytest.param(
                 True,
@@ -170,16 +196,25 @@ def test_splunk_fields_for_callback_endpoint(
             # CIS2
             pytest.param(
                 False,
-                "656005750104",
+                username,
                 "apim-mock-nhs-cis2",
-                "aal3",
+                level,
                 marks=pytest.mark.nhsd_apim_authorization(
                     access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
+                    level=level,
+                    login_form={"username": username},
                     force_new_token=True,
                 ),
-            ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
+    )
+    @pytest.mark.happy_path
+    @pytest.mark.logging
+    @pytest.mark.parametrize(
+        "is_nhs_login,username,provider,level",
+        [
             # NHS Login
             pytest.param(
                 True,
@@ -192,7 +227,7 @@ def test_splunk_fields_for_callback_endpoint(
                     login_form={"username": "9912003071"},
                     force_new_token=True,
                 ),
-            ),
+            )
         ],
     )
     def test_splunk_fields_for_token_endpoint_authorization_code(

e2e/tests/oauth/test_authorization_code.py

@@ -1256,4 +1256,4 @@ def test_nhs_login_refresh_tokens_generated_with_expected_expiry_combined_auth(
         Test that refresh tokens generated via NHS Login have an expiry time of 1 hour for combined authentication.
         """
         assert _nhsd_apim_auth_token_data["expires_in"] == "599"
-        assert _nhsd_apim_auth_token_data["refresh_token_expires_in"] == "3599"
+        assert _nhsd_apim_auth_token_data["refresh_token_expires_in"] == "3599"

e2e/tests/oauth/test_backchannel_logout.py

@@ -11,6 +11,14 @@
 
 class TestBackChannelLogout:
     """A test suite for back-channel logout functionality"""
+    # We are on our second generation of mock identity provider for
+    # healthcare_worker access (CIS2). This allows you to log-in using a
+    # username.
+    MOCK_CIS2_USERNAMES = {
+     "aal1": ["656005750110"],
+     "aal2": ["656005750109", "656005750111", "656005750112"],
+     "aal3": ["656005750104", "656005750105", "656005750106"],
+    }
 
     def create_logout_token(
         self,
@@ -60,11 +68,19 @@ def create_logout_token(
         return logout_token_jwt
 
     @pytest.mark.happy_path
-    @pytest.mark.nhsd_apim_authorization(
-        access="healthcare_worker",
-        level="aal3",
-        login_form={"username": "656005750104"},
-        force_new_token=True,
+    @pytest.mark.parametrize(
+        [
+            pytest.param(
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level=level,
+                    login_form={"username": username},
+                    force_new_token=True,
+                ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
     )
     def test_backchannel_logout_happy_path(
         self, _nhsd_apim_auth_token_data, nhsd_apim_proxy_url
@@ -100,11 +116,19 @@ def test_backchannel_logout_happy_path(
         assert userinfo_resp.status_code == 401
 
     @pytest.mark.happy_path
-    @pytest.mark.nhsd_apim_authorization(
-        access="healthcare_worker",
-        level="aal3",
-        login_form={"username": "656005750104"},
-        force_new_token=True,
+    @pytest.mark.parametrize(
+        [
+            pytest.param(
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level=level,
+                    login_form={"username": username},
+                    force_new_token=True,
+                ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
     )
     def test_backchannel_logout_user_refresh_token(
         self, _nhsd_apim_auth_token_data, nhsd_apim_proxy_url, _test_app_credentials
@@ -164,11 +188,19 @@ def test_backchannel_logout_user_refresh_token(
         assert post_refresh_userinfo_resp.status_code == 401
 
     # Request sends a JWT has missing or invalid claims of the following problems, returns a 400
-    @pytest.mark.nhsd_apim_authorization(
-        access="healthcare_worker",
-        level="aal3",
-        login_form={"username": "656005750104"},
-        force_new_token=True,
+    @pytest.mark.parametrize(
+        [
+            pytest.param(
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level=level,
+                    login_form={"username": username},
+                    force_new_token=True,
+                ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
     )
     @pytest.mark.parametrize(
         "claims,status_code,error_message",
@@ -318,11 +350,19 @@ def test_claims(
         assert back_channel_resp.json()["error_description"] == error_message
 
     # Request sends JWT that cannot be verified returns a  400
-    @pytest.mark.nhsd_apim_authorization(
-        access="healthcare_worker",
-        level="aal3",
-        login_form={"username": "656005750104"},
-        force_new_token=True,
+    @pytest.mark.parametrize(
+        [
+            pytest.param(
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level=level,
+                    login_form={"username": username},
+                    force_new_token=True,
+                ),
+            )
+            for level, usernames in MOCK_CIS2_USERNAMES.items()
+            for username in usernames
+        ],
     )
     def test_invalid_jwt(self, _nhsd_apim_auth_token_data, nhsd_apim_proxy_url):
         access_token = _nhsd_apim_auth_token_data["access_token"]