Merge pull request #9 from NHSDigital/AMB-577-migrate-tests-from-mock-proxy

matthewaclark21 · web-flow · commit 9044e7e691cd · 2021-04-28T14:45:27.000+01:00
AMB-577 Add 200 ok response to user-role-service endpoint
diff --git a/Makefile b/Makefile
@@ -55,4 +55,4 @@ test:
 
 smoketest:
 #	this target is for end to end smoketests this would be run 'post deploy' to verify an environment is working
-	poetry run pytest -v --junitxml=smoketest-report.xml -s -m smoketest
+	poetry run pytest -v tests/api_tests.py --junitxml=smoketest-report.xml -s
diff --git a/azure/templates/run-integration-tests.yml b/azure/templates/run-integration-tests.yml
@@ -17,6 +17,7 @@ steps:
       export OAUTH_PROXY="oauth2"
       export SERVICE_NAME="$(FULLY_QUALIFIED_SERVICE_NAME)"
       export ID_TOKEN_PRIVATE_KEY_ABSOLUTE_PATH="$(Pipeline.Workspace)/secrets/$(ID_TOKEN_TESTING_PRIVATE_KEY)"
+      export ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH="$(Pipeline.Workspace)/secrets/$(ID_TOKEN_NHS_LOGIN_PRIVATE_KEY)"
       export JWT_PRIVATE_KEY_ABSOLUTE_PATH="$(Pipeline.Workspace)/secrets/$(JWT_TESTING_PRIVATE_KEY)"
       export APIGEE_API_TOKEN="$(secret.AccessToken)"
       pytest --reruns 5 --reruns-delay 1 -v --junitxml=test-report.xml
diff --git a/proxies/live/apiproxy/proxies/default.xml b/proxies/live/apiproxy/proxies/default.xml
@@ -6,6 +6,11 @@
             <Name>FlowCallout.UserRoleService</Name>
         </Step>
       </Request>
+      <Response>
+        <Step>
+          <Name>AssignMessage.AddPayloadToPing</Name>
+        </Step>
+      </Response>
       <Condition>proxy.pathsuffix MatchesPath "/user-role-service"</Condition>
     </Flow>
     <Flow name="OptionsPreFlight">
@@ -67,6 +72,9 @@
   <RouteRule name="NoRouteStatus">
     <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
   </RouteRule>
+  <RouteRule name="NoRouteUserServiceRole">
+    <Condition>(proxy.pathsuffix MatchesPath "/user-service-role") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
+  </RouteRule>
   <RouteRule name="shared-flow-testing-target">
     <TargetEndpoint>shared-flow-testing-target</TargetEndpoint>
   </RouteRule>
diff --git a/tests/configuration/config.py b/tests/configuration/config.py
@@ -5,3 +5,7 @@
 ENVIRONMENT = ENV["environment"]
 BASE_URL = f"https://{ENVIRONMENT}.api.service.nhs.uk"
 BASE_PATH = ENV["base_path"]
+
+# Jwt variables
+JWT_PRIVATE_KEY_ABSOLUTE_PATH = ENV["jwt_private_key_absolute_path"]
+ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH = ENV["id_token_nhs_login_private_key_absolute_path"]
diff --git a/tests/configuration/environment.py b/tests/configuration/environment.py
@@ -16,4 +16,6 @@ def get_env(variable_name: str) -> str:
     # Apigee
     "environment": get_env("APIGEE_ENVIRONMENT"),
     "base_path": get_env("SERVICE_BASE_PATH"),
+    "jwt_private_key_absolute_path": get_env("JWT_PRIVATE_KEY_ABSOLUTE_PATH"),
+    "id_token_nhs_login_private_key_absolute_path": get_env("ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH")
 }
diff --git a/tests/test_endpoints.py b/tests/test_endpoints.py
@@ -1,13 +1,14 @@
 import pytest
 import requests
+from time import time
 from assertpy import assert_that
+from .configuration import config
 from api_test_utils.oauth_helper import OauthHelper
 from api_test_utils.apigee_api_apps import ApigeeApiDeveloperApps
 from api_test_utils.apigee_api_products import ApigeeApiProducts
 
 
 class TestEndpoints:
-
     @pytest.fixture()
     def app(self):
         """
@@ -40,11 +41,21 @@ async def test_app_and_product(self, app, product):
 
         await app.create_new_app()
 
-        await product.update_scopes([
-            "urn:nhsd:apim:app:level3:shared-flow-testing",
-            "urn:nhsd:apim:user-nhs-id:aal3:shared-flow-testing"
-        ])
+        await product.update_scopes(
+            [
+                "urn:nhsd:apim:app:level3:shared-flow-testing",
+                "urn:nhsd:apim:user-nhs-id:aal3:shared-flow-testing",
+                "urn:nhsd:apim:user-nhs-login:P9:shared-flow-testing",
+            ]
+        )
         await app.add_api_product([product.name])
+        await app.set_custom_attributes(
+            {
+                "jwks-resource-url": "https://raw.githubusercontent.com/NHSDigital/"
+                "identity-service-jwks/main/jwks/internal-dev/"
+                "9baed6f4-1361-4a8e-8531-1f8426e3aba8.json"
+            }
+        )
 
         yield product, app
 
@@ -58,22 +69,130 @@ async def get_token(self, test_app_and_product):
         oauth = OauthHelper(
             client_id=test_app.client_id,
             client_secret=test_app.client_secret,
-            redirect_uri=test_app.callback_url
-            )
+            redirect_uri=test_app.callback_url,
+        )
         token_resp = await oauth.get_token_response(grant_type="authorization_code")
         assert token_resp["status_code"] == 200
-        return token_resp['body']
+        return token_resp["body"]
+
+    @pytest.fixture()
+    async def get_token_client_credentials(self, test_app_and_product):
+        """Call identity server to get an access token"""
+        test_product, test_app = test_app_and_product
+        oauth = OauthHelper(
+            client_id=test_app.client_id,
+            client_secret=test_app.client_secret,
+            redirect_uri=test_app.callback_url,
+        )
+        jwt = oauth.create_jwt(kid="test-1")
+        token_resp = await oauth.get_token_response(
+            grant_type="client_credentials", _jwt=jwt
+        )
+        assert token_resp["status_code"] == 200
+        return token_resp["body"]
+
+    @pytest.fixture()
+    async def get_token_nhs_login_token_exchange(self, test_app_and_product):
+        """Call identity server to get an access token"""
+        test_product, test_app = test_app_and_product
+        oauth = OauthHelper(
+            client_id=test_app.client_id,
+            client_secret=test_app.client_secret,
+            redirect_uri=test_app.callback_url,
+        )
+
+        id_token_claims = {
+            "aud": "tf_-APIM-1",
+            "id_status": "verified",
+            "token_use": "id",
+            "auth_time": 1616600683,
+            "iss": "https://internal-dev.api.service.nhs.uk",
+            "vot": "P9.Cp.Cd",
+            "exp": int(time()) + 600,
+            "iat": int(time()) - 10,
+            "vtm": "https://auth.sandpit.signin.nhs.uk/trustmark/auth.sandpit.signin.nhs.uk",
+            "jti": "b68ddb28-e440-443d-8725-dfe0da330118",
+            "identity_proofing_level": "P9",
+        }
+        id_token_headers = {
+            "sub": "49f470a1-cc52-49b7-beba-0f9cec937c46",
+            "aud": "APIM-1",
+            "kid": "nhs-login",
+            "iss": "https://internal-dev.api.service.nhs.uk",
+            "typ": "JWT",
+            "exp": 1616604574,
+            "iat": 1616600974,
+            "alg": "RS512",
+            "jti": "b68ddb28-e440-443d-8725-dfe0da330118",
+        }
+        with open(config.ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH, "r") as f:
+            contents = f.read()
+
+        client_assertion_jwt = oauth.create_jwt(kid="test-1")
+        id_token_jwt = oauth.create_id_token_jwt(
+            algorithm="RS512",
+            claims=id_token_claims,
+            headers=id_token_headers,
+            signing_key=contents,
+        )
+
+        # When
+        token_resp = await oauth.get_token_response(
+            grant_type="token_exchange",
+            data={
+                "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                "subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
+                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+                "subject_token": id_token_jwt,
+                "client_assertion": client_assertion_jwt,
+            },
+        )
+        assert token_resp["status_code"] == 200
+        return token_resp["body"]
+
+    @pytest.mark.asyncio
+    async def test_happy_path(self, get_token):
+        # Given
+        token = get_token["access_token"]
+        expected_status_code = 200
+
+        # When
+        response = requests.get(
+            url="https://internal-dev.api.service.nhs.uk/shared-flow-testing/user-role-service",
+            headers={
+                "Authorization": f"Bearer {token}",
+                "NHSD-Session-URID": "555254242102",
+            },
+        )
 
-    def test_user_invalid_role_in_header(self, get_token):
+        # Then
+        assert_that(expected_status_code).is_equal_to(response.status_code)
+
+    @pytest.mark.asyncio
+    async def test_default_role(self, get_token):
+        # Given
+        token = get_token["access_token"]
+        expected_status_code = 200
+
+        # When
+        response = requests.get(
+            url="https://internal-dev.api.service.nhs.uk/shared-flow-testing/user-role-service",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        # Then
+        assert_that(expected_status_code).is_equal_to(response.status_code)
+
+    @pytest.mark.asyncio
+    async def test_user_invalid_role_in_header(self, get_token):
         # Given
-        token = get_token['access_token']
+        token = get_token["access_token"]
         expected_status_code = 400
         expected_error = "invalid role"
         expected_error_description = "nhsd-session-urid is invalid"
 
         # When
         response = requests.get(
-            url='https://internal-dev.api.service.nhs.uk/shared-flow-testing-pr-6/user-role-service',
+            url="https://internal-dev.api.service.nhs.uk/shared-flow-testing/user-role-service",
             headers={
                 "Authorization": f"Bearer {token}",
                 "NHSD-Session-URID": "notAuserRole123",
@@ -86,3 +205,45 @@ def test_user_invalid_role_in_header(self, get_token):
         assert_that(expected_error_description).is_equal_to(
             response.json()["error_description"]
         )
+
+    @pytest.mark.asyncio
+    async def test_no_role_provided(self, get_token_client_credentials):
+        token = get_token_client_credentials["access_token"]
+        # Given
+        expected_status_code = 400
+        expected_error = "invalid role"
+        expected_error_description = "selected_roleid is missing in your token"
+
+        # When
+        response = requests.get(
+            url="https://internal-dev.api.service.nhs.uk/shared-flow-testing/user-role-service",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        # Then
+        assert_that(expected_status_code).is_equal_to(response.status_code)
+        assert_that(expected_error).is_equal_to(response.json()["error"])
+        assert_that(expected_error_description).is_equal_to(
+            response.json()["error_description"]
+        )
+
+    @pytest.mark.asyncio
+    async def test_nhs_login_exchanged_token_no_role_provided(
+        self, get_token_nhs_login_token_exchange
+    ):
+        token = get_token_nhs_login_token_exchange["access_token"]
+        # Given
+        expected_status_code = 400
+        expected_error = "invalid role"
+        expected_error_description = "selected_roleid is missing in your token"
+
+        # When
+        response = requests.get(
+            url="https://internal-dev.api.service.nhs.uk/shared-flow-testing/user-role-service",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        # Then
+        assert_that(expected_status_code).is_equal_to(response.status_code)
+        assert_that(expected_error).is_equal_to(response.json()["error"])
+        assert_that(expected_error_description).is_equal_to(
+            response.json()["error_description"]
+        )

Original file line number	Diff line number	Diff line change
`@@ -16,4 +16,6 @@ def get_env(variable_name: str) -> str:`
`16`	`16`	`# Apigee`
`17`	`17`	`"environment": get_env("APIGEE_ENVIRONMENT"),`
`18`	`18`	`"base_path": get_env("SERVICE_BASE_PATH"),`
	`19`	`+ "jwt_private_key_absolute_path": get_env("JWT_PRIVATE_KEY_ABSOLUTE_PATH"),`
	`20`	`+ "id_token_nhs_login_private_key_absolute_path": get_env("ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH")`
`19`	`21`	`}`