Merge pull request #36 from NHSDigital/AMB-804-add-js-for-setting-logs

artronics · web-flow · commit 0f0b07fee7eb · 2021-09-08T15:58:32.000+01:00
AMB-804 test js policy to set logging fields
diff --git a/Makefile b/Makefile
@@ -46,6 +46,7 @@ release: clean publish build-proxy
 	mkdir -p dist
 	for f in $(_dist_include); do cp -r $$f dist; done
 	cp ecs-proxies-deploy.yml dist/ecs-deploy-sandbox.yml
+	cp ecs-proxies-deploy.yml dist/ecs-deploy-internal-dev.yml
 	cp ecs-proxies-deploy.yml dist/ecs-deploy-internal-qa-sandbox.yml
 	cp ecs-proxies-deploy.yml dist/ecs-deploy-internal-dev-sandbox.yml
 
@@ -55,4 +56,4 @@ test:
 
 smoketest:
 #	this target is for end to end smoketests this would be run 'post deploy' to verify an environment is working
-	poetry run pytest -v tests/api_tests.py --junitxml=smoketest-report.xml -s
+	poetry run pytest -v tests/api_tests.py --junitxml=smoketest-report.xml -s
diff --git a/proxies/live/apiproxy/policies/AssignMessage.AddPayloadToSplunkTest.xml b/proxies/live/apiproxy/policies/AssignMessage.AddPayloadToSplunkTest.xml
diff --git a/proxies/live/apiproxy/proxies/default.xml b/proxies/live/apiproxy/proxies/default.xml
@@ -56,11 +56,6 @@
           <Name>OauthV2.VerifyAccessToken</Name>
         </Step>
       </Request>
-      <Response>
-        <Step>
-          <Name>AssignMessage.AddPayloadToSplunkTest</Name>
-        </Step>
-      </Response>
       <Condition>(proxy.pathsuffix MatchesPath "/splunk-test") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
     </Flow>
     <Flow name="ApiKeyProtectedEndpoint">
@@ -99,15 +94,6 @@
   <RouteRule name="NoRouteUserServiceRole">
     <Condition>(proxy.pathsuffix MatchesPath "/user-role-service") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
   </RouteRule>
-  <RouteRule name="NoRouteSplunkTest">
-    <Condition>(proxy.pathsuffix MatchesPath "/splunk-test") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
-  </RouteRule>
-  <RouteRule name="NoRouteOpenAccess">
-    <Condition>(proxy.pathsuffix MatchesPath "/open-access") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
-  </RouteRule>
-  <RouteRule name="NoRouteApiKeyProtected">
-    <Condition>(proxy.pathsuffix MatchesPath "/apikey-protected") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
-  </RouteRule>
   <RouteRule name="shared-flow-testing-target">
     <TargetEndpoint>shared-flow-testing-target</TargetEndpoint>
   </RouteRule>
diff --git a/proxies/live/apiproxy/targets/sft-target.xml b/proxies/live/apiproxy/targets/sft-target.xml
@@ -12,9 +12,6 @@
   </FaultRules>
   <PreFlow>
     <Request>
-      <Step>
-        <Name>OauthV2.VerifyAccessToken</Name>
-      </Step>
       <Step>
         <Name>Quota</Name>
       </Step>
@@ -36,11 +33,6 @@
     </HTTPTargetConnection>
   -->
   <HTTPTargetConnection>
-    <URL>http://mocktarget.apigee.net</URL>
-    <Properties>
-      <Property name="supports.http10">true</Property>
-      <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
-      <Property name="retain.queryparams">apikey</Property>
-    </Properties>
+    {{ HOSTED_TARGET_CONNECTION }}
   </HTTPTargetConnection>
 </TargetEndpoint>
diff --git a/sandbox/app.js b/sandbox/app.js
@@ -127,7 +127,12 @@ app.get("/_ping", handlers.status);
 app.get("/_status", handlers.status);
 app.get("/health", handlers.status);
 app.all("/hello", handlers.hello);
+
+app.get("/open-access", handlers.sampleResponse);
+app.get("/splunk-test", handlers.sampleResponse);
+app.get("/apikey-protected", handlers.sampleResponse);
+
 app.use(on_error)
 app.use(after_request);
 
-module.exports = {start: start, setup: setup};
+module.exports = {start: start, setup: setup};
diff --git a/sandbox/handlers.js b/sandbox/handlers.js
@@ -62,7 +62,12 @@ async function hello(req, res, next) {
     next();
 }
 
+async function sampleResponse(req, res, next) {
+    res.json({message: "share-flow-testing"})
+}
+
 module.exports = {
     status: status,
-    hello: hello
+    hello: hello,
+    sampleResponse: sampleResponse
 };
diff --git a/tests/splunk_logging_schema.json b/tests/splunk_logging_schema.json
@@ -120,7 +120,7 @@
         },
         "client_id": {
           "type": "string",
-          "pattern": "(^[0-9A-Za-z]{32}$)|Not provided"
+          "pattern": "(^[0-9A-Za-z]{32}$)|empty"
         },
         "application_id": {
           "type": "string",
diff --git a/tests/test_splunk_logging.py b/tests/test_splunk_logging.py
@@ -14,6 +14,7 @@ class TestSplunkLogging:
     oauth_protected_url = f"https://{ENVIRONMENT}.api.service.nhs.uk/{SERVICE_BASE_PATH}/splunk-test"
     apikey_protected_url = f"https://{ENVIRONMENT}.api.service.nhs.uk/{SERVICE_BASE_PATH}/apikey-protected"
     open_access_url = f"https://{ENVIRONMENT}.api.service.nhs.uk/{SERVICE_BASE_PATH}/open-access"
+    ping_url = f"https://{ENVIRONMENT}.api.service.nhs.uk/{SERVICE_BASE_PATH}/_ping"
 
     @staticmethod
     async def _get_payload_from_splunk(debug):
@@ -145,7 +146,7 @@ async def test_splunk_auth_with_nhs_login_token_exchange(self, get_token_nhs_log
     async def test_splunk_auth_with_invalid_token(self, debug):
         # Given
         token = "invalid token"
-        expected_hashed_token = ""
+        expected_hashed_token = "empty"
 
         # When
         await debug.start_trace()
@@ -160,16 +161,16 @@ async def test_splunk_auth_with_invalid_token(self, debug):
         assert auth["access_token_hash"] == expected_hashed_token
 
         auth_meta = auth["meta"]
-        assert auth_meta["auth_type"] == "app"
+        assert auth_meta["auth_type"] == "unknown"
         assert auth_meta["grant_type"] == ""
-        assert auth_meta["level"] == "Level0"
+        assert auth_meta["level"] == "-"
         assert auth_meta["provider"] == "apim"
 
         auth_user = auth["user"]
         assert auth_user["user_id"] == ""
 
         meta = payload["meta"]
-        assert meta["client_id"] == "Not provided"
+        assert meta["client_id"] == "empty"
         assert meta["application"] == "unknown"
         assert meta["product"] == ""
 
@@ -178,7 +179,7 @@ async def test_splunk_auth_with_invalid_token(self, debug):
     async def test_splunk_auth_with_expired_token(self, debug):
         # Given
         token = "zRygtc34R2pwxbiUktLsMJWX0iJW"
-        expected_hashed_token = ""
+        expected_hashed_token = "empty"
 
         # When
         await debug.start_trace()
@@ -193,22 +194,21 @@ async def test_splunk_auth_with_expired_token(self, debug):
         assert auth["access_token_hash"] == expected_hashed_token
 
         auth_meta = auth["meta"]
-        assert auth_meta["auth_type"] == "app"
+        assert auth_meta["auth_type"] == "unknown"
         assert auth_meta["grant_type"] == ""
-        assert auth_meta["level"] == "Level0"
+        assert auth_meta["level"] == "-"
         assert auth_meta["provider"] == "apim"
 
         auth_user = auth["user"]
         assert auth_user["user_id"] == ""
 
         meta = payload["meta"]
-        assert meta["client_id"] == "Not provided"
+        assert meta["client_id"] == "empty"
         assert meta["application"] == "unknown"
         assert meta["product"] == ""
 
     @pytest.mark.splunk
     @pytest.mark.asyncio
-    @pytest.mark.debug
     async def test_splunk_auth_with_apikey(self, debug):
         # Given
         apikey = APP_CLIENT_ID
@@ -228,7 +228,7 @@ async def test_splunk_auth_with_apikey(self, debug):
         auth_meta = auth["meta"]
         assert auth_meta["auth_type"] == "app"
         assert auth_meta["grant_type"] == ""
-        assert auth_meta["level"] == "Level0"
+        assert auth_meta["level"] == "-"
         assert auth_meta["provider"] == "apim"
 
         auth_user = auth["user"]
@@ -258,14 +258,14 @@ async def test_splunk_auth_with_invalid_apikey(self, debug):
         auth_meta = auth["meta"]
         assert auth_meta["auth_type"] == "app"
         assert auth_meta["grant_type"] == ""
-        assert auth_meta["level"] == "Level0"
+        assert auth_meta["level"] == "-"
         assert auth_meta["provider"] == "apim"
 
         auth_user = auth["user"]
         assert auth_user["user_id"] == ""
 
         meta = payload["meta"]
-        assert meta["client_id"] == "Not provided"
+        assert meta["client_id"] == ""
         assert meta["application"] == "unknown"
         assert meta["product"] == ""
 
@@ -286,14 +286,42 @@ async def test_splunk_auth_open_access(self, debug):
         auth_meta = auth["meta"]
         assert auth_meta["auth_type"] == "app"
         assert auth_meta["grant_type"] == ""
-        assert auth_meta["level"] == "Level0"
+        assert auth_meta["level"] == "open"
+        assert auth_meta["provider"] == "apim"
+
+        auth_user = auth["user"]
+        assert auth_user["user_id"] == ""
+
+        meta = payload["meta"]
+        assert meta["client_id"] == "empty"
+        assert meta["application"] == "unknown"
+
+    @pytest.mark.splunk
+    @pytest.mark.asyncio
+    async def test_splunk_auth_open_access_ping(self, debug):
+        # There is nothing especial about /_ping itself. It's an endpoint that doesn't have a target backend
+        # When
+        await debug.start_trace()
+        requests.get(
+            url=self.ping_url,
+        )
+        payload = await self._get_payload_from_splunk(debug)
+
+        # Then
+        auth = payload["auth"]
+        assert auth["access_token_hash"] == ""
+
+        auth_meta = auth["meta"]
+        assert auth_meta["auth_type"] == "app"
+        assert auth_meta["grant_type"] == ""
+        assert auth_meta["level"] == "open"
         assert auth_meta["provider"] == "apim"
 
         auth_user = auth["user"]
         assert auth_user["user_id"] == ""
 
         meta = payload["meta"]
-        assert meta["client_id"] == "Not provided"
+        assert meta["client_id"] == "empty"
         assert meta["application"] == "unknown"
 
     @pytest.mark.splunk
