From 1609349a5bc70dc2cecf354c2596313f77465293 Mon Sep 17 00:00:00 2001 From: Fayez Ahmed Date: Thu, 6 Mar 2025 12:46:55 +0000 Subject: [PATCH 1/3] APM-5874: Amend tests for spearate auth happy path --- tests/test_user_roles.py | 81 ++++++---------------------------------- 1 file changed, 12 insertions(+), 69 deletions(-) diff --git a/tests/test_user_roles.py b/tests/test_user_roles.py index fc8e994..9839000 100644 --- a/tests/test_user_roles.py +++ b/tests/test_user_roles.py @@ -38,6 +38,17 @@ class TestUserRoles: ), id="User role sent in header (no in id token, multiple in user info)", ), + pytest.param( + {"NHSD-Session-URID": "656014452101"}, + marks=pytest.mark.nhsd_apim_authorization( + access="healthcare_worker", + level="aal3", + login_form={"username": "656005750104"}, + authentication="separate", + force_new_token=True, + ), + id="CIS2 separate: User role sent in header", + ), ], ) def test_user_role_happy_path( @@ -109,26 +120,6 @@ def test_user_role_happy_path( ), id="Invalid role in header", ), - ], - ) - def test_user_role_unhappy_path( - self, - nhsd_apim_proxy_url, - nhsd_apim_auth_headers, - additional_headers, - error_description, - ): - resp = requests.get( - url=f"{nhsd_apim_proxy_url}/user-role-service", - headers={**nhsd_apim_auth_headers, **additional_headers}, - ) - - assert resp.status_code == 400 - assert resp.text == error_description - - @pytest.mark.parametrize( - "additional_headers,error_description", - [ pytest.param( {}, "selected_roleid is missing in your token", @@ -151,57 +142,9 @@ def test_user_role_unhappy_path( ), id="NHS Login combined: Can't use header to fetch from userinfo", ), - pytest.param( - {}, - "selected_roleid is missing in your token", - marks=pytest.mark.nhsd_apim_authorization( - access="patient", - level="P9", - login_form={"username": "9912003071"}, - authentication="separate", - force_new_token=True, - ), - id="NHS Login separate: Role can't be used from token", - ), - pytest.param( - {"NHSD-Session-URID": "9912003071"}, - "unable to retrieve user info", - marks=pytest.mark.nhsd_apim_authorization( - access="patient", - level="P9", - login_form={"username": "9912003071"}, - authentication="separate", - force_new_token=True, - ), - id="NHS Login separate: Can't use header to fetch from userinfo", - ), - pytest.param( - {}, - "selected_roleid is missing in your token", - marks=pytest.mark.nhsd_apim_authorization( - access="healthcare_worker", - level="aal3", - login_form={"username": "656005750104"}, - authentication="separate", - force_new_token=True, - ), - id="CIS2 separate: Role can't be used from token", - ), - pytest.param( - {"NHSD-Session-URID": "656005750104"}, - "unable to retrieve user info", - marks=pytest.mark.nhsd_apim_authorization( - access="healthcare_worker", - level="aal3", - login_form={"username": "656005750104"}, - authentication="separate", - force_new_token=True, - ), - id="CIS2 separate: Can't use header to fetch from userinfo", - ), ], ) - def test_error_when_not_cis2_combined_auth( + def test_user_role_unhappy_path( self, nhsd_apim_proxy_url, nhsd_apim_auth_headers, From 35f742d0296d29154c46cc741beb317db9b2343d Mon Sep 17 00:00:00 2001 From: Fayez Ahmed Date: Thu, 6 Mar 2025 13:14:14 +0000 Subject: [PATCH 2/3] APM-5874: Amend tests for spearate auth happy path --- tests/test_user_role_service_v2.py | 64 ++++++------------------------ 1 file changed, 12 insertions(+), 52 deletions(-) diff --git a/tests/test_user_role_service_v2.py b/tests/test_user_role_service_v2.py index 2f0fce3..abeef5f 100644 --- a/tests/test_user_role_service_v2.py +++ b/tests/test_user_role_service_v2.py @@ -35,6 +35,18 @@ ), id="User role sent in header (no in id token, multiple in user info)", ), + pytest.param( + {"NHSD-Session-URID": "656014452101"}, + "656014452101", + marks=pytest.mark.nhsd_apim_authorization( + access="healthcare_worker", + level="aal3", + login_form={"username": "656005750104"}, + authentication="separate", + force_new_token=True, + ), + id="CIS2 separate: User role sent in header", + ), ] UNHAPPY_PATH_PARAMS = [ pytest.param( @@ -124,58 +136,6 @@ ), id="NHS Login combined: Can't use header to fetch from userinfo", ), - pytest.param( - {}, - "selected_roleid is missing in your token", - 401, - marks=pytest.mark.nhsd_apim_authorization( - access="patient", - level="P9", - login_form={"username": "9912003071"}, - authentication="separate", - force_new_token=True, - ), - id="NHS Login separate: Role can't be used from token", - ), - pytest.param( - {"NHSD-Session-URID": "9912003071"}, - "unable to retrieve user info", - 500, - marks=pytest.mark.nhsd_apim_authorization( - access="patient", - level="P9", - login_form={"username": "9912003071"}, - authentication="separate", - force_new_token=True, - ), - id="NHS Login separate: Can't use header to fetch from userinfo", - ), - pytest.param( - {}, - "selected_roleid is missing in your token", - 401, - marks=pytest.mark.nhsd_apim_authorization( - access="healthcare_worker", - level="aal3", - login_form={"username": "656005750104"}, - authentication="separate", - force_new_token=True, - ), - id="CIS2 separate: Role can't be used from token", - ), - pytest.param( - {"NHSD-Session-URID": "656005750104"}, - "unable to retrieve user info", - 500, - marks=pytest.mark.nhsd_apim_authorization( - access="healthcare_worker", - level="aal3", - login_form={"username": "656005750104"}, - authentication="separate", - force_new_token=True, - ), - id="CIS2 separate: Can't use header to fetch from userinfo", - ), ] From 5c0d3132539d84e0ecbe048ac411a8761bfa733c Mon Sep 17 00:00:00 2001 From: Fayez Ahmed Date: Fri, 7 Mar 2025 15:14:47 +0000 Subject: [PATCH 3/3] APM-5874: Amend tests for spearate auth happy path --- tests/test_user_role_service_v2.py | 44 ++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/tests/test_user_role_service_v2.py b/tests/test_user_role_service_v2.py index abeef5f..debdce2 100644 --- a/tests/test_user_role_service_v2.py +++ b/tests/test_user_role_service_v2.py @@ -35,18 +35,6 @@ ), id="User role sent in header (no in id token, multiple in user info)", ), - pytest.param( - {"NHSD-Session-URID": "656014452101"}, - "656014452101", - marks=pytest.mark.nhsd_apim_authorization( - access="healthcare_worker", - level="aal3", - login_form={"username": "656005750104"}, - authentication="separate", - force_new_token=True, - ), - id="CIS2 separate: User role sent in header", - ), ] UNHAPPY_PATH_PARAMS = [ pytest.param( @@ -137,6 +125,20 @@ id="NHS Login combined: Can't use header to fetch from userinfo", ), ] +SEPARATE_AUTH_HAPPY_PARAMS = [ + pytest.param( + {"NHSD-Session-URID": "656014452101"}, + "656014452101", + marks=pytest.mark.nhsd_apim_authorization( + access="healthcare_worker", + level="aal3", + login_form={"username": "656005750104"}, + authentication="separate", + force_new_token=True, + ), + id="CIS2 separate: User role sent in header", + ), +] class TestUserRoles: @@ -249,3 +251,21 @@ def test_error_when_not_cis2_combined_auth_custom_header( assert resp.status_code == status_code assert resp.json()["issue"][0]["diagnostics"] == error_description + + @pytest.mark.parametrize("additional_headers,expected_urid", SEPARATE_AUTH_HAPPY_PARAMS) + def test_separate_auth_happy_path_default_header( + self, + nhsd_apim_proxy_url, + nhsd_apim_auth_headers, + additional_headers, + expected_urid, + ): + """Due to the nature of separate auth (token_exchange), we can't use custom headers and we do not do any + specific validation. Therefore we can only test for the happy path returning a 200 response""" + + resp = requests.get( + url=f"{nhsd_apim_proxy_url}/user-role-service-v2-default-header", + headers={**nhsd_apim_auth_headers, **additional_headers}, + ) + + assert resp.status_code == 200