Merge pull request #115 from NHSDigital/APM-5874_userinfo_combinedauth

fayez166 · web-flow · commit c79a49f78040 · 2025-03-12T12:26:19.000Z
APM-5874: Fix UseRoleService tests for separate auth
diff --git a/tests/test_user_role_service_v2.py b/tests/test_user_role_service_v2.py
@@ -124,57 +124,19 @@
         ),
         id="NHS Login combined: Can't use header to fetch from userinfo",
     ),
+]
+SEPARATE_AUTH_HAPPY_PARAMS = [
     pytest.param(
-        {},
-        "selected_roleid is missing in your token",
-        401,
-        marks=pytest.mark.nhsd_apim_authorization(
-            access="patient",
-            level="P9",
-            login_form={"username": "9912003071"},
-            authentication="separate",
-            force_new_token=True,
-        ),
-        id="NHS Login separate: Role can't be used from token",
-    ),
-    pytest.param(
-        {"NHSD-Session-URID": "9912003071"},
-        "unable to retrieve user info",
-        500,
-        marks=pytest.mark.nhsd_apim_authorization(
-            access="patient",
-            level="P9",
-            login_form={"username": "9912003071"},
-            authentication="separate",
-            force_new_token=True,
-        ),
-        id="NHS Login separate: Can't use header to fetch from userinfo",
-    ),
-    pytest.param(
-        {},
-        "selected_roleid is missing in your token",
-        401,
-        marks=pytest.mark.nhsd_apim_authorization(
-            access="healthcare_worker",
-            level="aal3",
-            login_form={"username": "656005750104"},
-            authentication="separate",
-            force_new_token=True,
-        ),
-        id="CIS2 separate: Role can't be used from token",
-    ),
-    pytest.param(
-        {"NHSD-Session-URID": "656005750104"},
-        "unable to retrieve user info",
-        500,
+        {"NHSD-Session-URID": "656014452101"},
+        "656014452101",
         marks=pytest.mark.nhsd_apim_authorization(
             access="healthcare_worker",
             level="aal3",
             login_form={"username": "656005750104"},
             authentication="separate",
             force_new_token=True,
         ),
-        id="CIS2 separate: Can't use header to fetch from userinfo",
+        id="CIS2 separate: User role sent in header",
     ),
 ]
 
@@ -289,3 +251,21 @@ def test_error_when_not_cis2_combined_auth_custom_header(
 
         assert resp.status_code == status_code
         assert resp.json()["issue"][0]["diagnostics"] == error_description
+
+    @pytest.mark.parametrize("additional_headers,expected_urid", SEPARATE_AUTH_HAPPY_PARAMS)
+    def test_separate_auth_happy_path_default_header(
+        self,
+        nhsd_apim_proxy_url,
+        nhsd_apim_auth_headers,
+        additional_headers,
+        expected_urid,
+    ):
+        """Due to the nature of separate auth (token_exchange), we can't use custom headers and we do not do any
+        specific validation. Therefore we can only test for the happy path returning a 200 response"""
+
+        resp = requests.get(
+            url=f"{nhsd_apim_proxy_url}/user-role-service-v2-default-header",
+            headers={**nhsd_apim_auth_headers, **additional_headers},
+        )
+
+        assert resp.status_code == 200
diff --git a/tests/test_user_roles.py b/tests/test_user_roles.py
@@ -38,6 +38,17 @@ class TestUserRoles:
                 ),
                 id="User role sent in header (no in id token, multiple in user info)",
             ),
+            pytest.param(
+                {"NHSD-Session-URID": "656014452101"},
+                marks=pytest.mark.nhsd_apim_authorization(
+                    access="healthcare_worker",
+                    level="aal3",
+                    login_form={"username": "656005750104"},
+                    authentication="separate",
+                    force_new_token=True,
+                ),
+                id="CIS2 separate: User role sent in header",
+            ),
         ],
     )
     def test_user_role_happy_path(
@@ -109,26 +120,6 @@ def test_user_role_happy_path(
                 ),
                 id="Invalid role in header",
             ),
-        ],
-    )
-    def test_user_role_unhappy_path(
-        self,
-        nhsd_apim_proxy_url,
-        nhsd_apim_auth_headers,
-        additional_headers,
-        error_description,
-    ):
-        resp = requests.get(
-            url=f"{nhsd_apim_proxy_url}/user-role-service",
-            headers={**nhsd_apim_auth_headers, **additional_headers},
-        )
-
-        assert resp.status_code == 400
-        assert resp.text == error_description
-
-    @pytest.mark.parametrize(
-        "additional_headers,error_description",
-        [
             pytest.param(
                 {},
                 "selected_roleid is missing in your token",
@@ -151,57 +142,9 @@ def test_user_role_unhappy_path(
                 ),
                 id="NHS Login combined: Can't use header to fetch from userinfo",
             ),
-            pytest.param(
-                {},
-                "selected_roleid is missing in your token",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="patient",
-                    level="P9",
-                    login_form={"username": "9912003071"},
-                    authentication="separate",
-                    force_new_token=True,
-                ),
-                id="NHS Login separate: Role can't be used from token",
-            ),
-            pytest.param(
-                {"NHSD-Session-URID": "9912003071"},
-                "unable to retrieve user info",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="patient",
-                    level="P9",
-                    login_form={"username": "9912003071"},
-                    authentication="separate",
-                    force_new_token=True,
-                ),
-                id="NHS Login separate: Can't use header to fetch from userinfo",
-            ),
-            pytest.param(
-                {},
-                "selected_roleid is missing in your token",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
-                    authentication="separate",
-                    force_new_token=True,
-                ),
-                id="CIS2 separate: Role can't be used from token",
-            ),
-            pytest.param(
-                {"NHSD-Session-URID": "656005750104"},
-                "unable to retrieve user info",
-                marks=pytest.mark.nhsd_apim_authorization(
-                    access="healthcare_worker",
-                    level="aal3",
-                    login_form={"username": "656005750104"},
-                    authentication="separate",
-                    force_new_token=True,
-                ),
-                id="CIS2 separate: Can't use header to fetch from userinfo",
-            ),
         ],
     )
-    def test_error_when_not_cis2_combined_auth(
+    def test_user_role_unhappy_path(
         self,
         nhsd_apim_proxy_url,
         nhsd_apim_auth_headers,
