pytest-nhsd-apim 3.3.15__tar.gz → 3.4.2__tar.gz

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pytest-nhsd-apim
-Version: 3.3.15
+Version: 3.4.2
 Summary: Pytest plugin accessing NHSDigital's APIM proxies
 Home-page: https://github.com/NHSDigital/pytest-nhsd-apim
 Author: Adrian Ciobanita
@@ -11,7 +11,7 @@ License: MIT
 Classifier: Framework :: Pytest
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Requires-Dist: Authlib==0.15.5
+Requires-Dist: Authlib==1.3.1
 Requires-Dist: cryptography==42.0.0
 Requires-Dist: lxml==4.9.1
 Requires-Dist: pycryptodome==3.20.0
@@ -99,6 +99,7 @@ The APIs we offer at the moment are:
 | ApiProductsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L575)  |[Overview](https://apidocs.apigee.com/docs/api-products/1/overview)|
 | DebugSessionsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L844)  |[Overview](https://apidocs.apigee.com/docs/debug-sessions/1/overview)|
 | AccessTokensAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L983)  |[Overview](https://apidocs.apigee.com/docs/oauth-20-access-tokens/1/overview)|
+| AppKeysAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L1243)  |[Overview](https://apidocs.apigee.com/docs/developer-app-keys/1/overview)|
 
 For a more detailed implementation of the available APIs please refer to the tests [here](/tests/test_apigee_apis.py).
 We will keep adding APIs with time, if you are looking for a particular APIs not listed above please feel free to open a pull request and send it to us.

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/README.md

@@ -73,6 +73,7 @@ The APIs we offer at the moment are:
 | ApiProductsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L575)  |[Overview](https://apidocs.apigee.com/docs/api-products/1/overview)|
 | DebugSessionsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L844)  |[Overview](https://apidocs.apigee.com/docs/debug-sessions/1/overview)|
 | AccessTokensAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L983)  |[Overview](https://apidocs.apigee.com/docs/oauth-20-access-tokens/1/overview)|
+| AppKeysAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L1243)  |[Overview](https://apidocs.apigee.com/docs/developer-app-keys/1/overview)|
 
 For a more detailed implementation of the available APIs please refer to the tests [here](/tests/test_apigee_apis.py).
 We will keep adding APIs with time, if you are looking for a particular APIs not listed above please feel free to open a pull request and send it to us.

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pytest-nhsd-apim"
-version = "3.3.15"
+version = "3.4.2"
 description = "Pytest plugin accessing NHSDigital's APIM proxies"
 authors = ["Adrian Ciobanita <adrian.ciobanita1@nhs.net>", "Alex Carrie <alexander.carrie1@nhs.net>", "Lucas Fantini <lucas.fantini@nhs.net>"]
 maintainers = ["Alex Carrie <alexander.carrie1@nhs.net>", "Alex Hawdon <alex.hawdon1@nhs.net"]
@@ -10,7 +10,7 @@ classifiers = ["Framework :: Pytest"]
 license = "MIT"
 
 [tool.poetry.dependencies]
-Authlib = "^0.15.5"
+Authlib = "^1.3.1"
 cryptography = ">42.0.0"
 lxml = "^4.9.1"
 python = "^3.8"

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim/apigee_apis.py

@@ -476,7 +476,7 @@ class DeveloperAppsAPI:
         resp = self.client.delete(url=url)
         if resp.status_code != 200:
             raise Exception(
-                f"GET request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
             )
         return resp.json()
 
@@ -1241,11 +1241,218 @@ class UserRolesAPI:
 
 
 class AppKeysAPI:
+    """
+    Manage consumer credentials for apps associated with individual developers.
+
+    Credential pairs consisting of consumer key and consumer secret are provisioned
+    by Apigee Edge to apps for specific API products. Apigee Edge maintains the
+    relationship between consumer keys and API products, enabling API products to be
+    added to and removed from consumer keys. A single consumer key can be used to
+    access multiple API products. Keys may be manually or automatically approved for
+    API products--how they are issued depends on the API product configuration. A key
+    must approved and approved for an API product to be capable of accessing any of
+    the URIs defined in the API product.
+    """
+
     def __init__(self, client: RestClient) -> None:
         self.client = client
-        raise NotImplementedError(
-            f"Ugh! this is awkward, this API is not available yet...feel free to give us a shout or to open a PR https://github.com/NHSDigital/pytest-nhsd-apim/blob/0cf274850a8fe61e17f214380496ba09fd6cc973/src/pytest_nhsd_apim/apigee_apis.py#L1142"
-        )
+
+    def create_app_key(self, email: str, app_name: str, body: dict) -> "dict":
+        """
+        Creates a custom consumer key and secret for a developer app.
+        This is particularly useful if you want to migrate existing consumer
+        keys/secrets to Edge from another system.
+
+        After creating the consumer key and secret, associate the key with an
+        API product, as described in Add API Product to Key.
+
+        Consumer keys and secrets can contain letters, numbers, underscores,
+        and hyphens. No other special characters are allowed.
+
+        Note: Be aware of the following size limits on API keys. By staying
+        within these limits, you help avoid service disruptions.
+
+        - Consumer key (API key) size: 2 KB
+
+        - Consumer secret size: 2 KB
+
+        If a consumer key and secret already exist, you can either keep them
+        or delete them, as described in Delete Key for a Developer App.
+
+        In addition, you can use this API if you have existing API keys and
+        secrets that you want to copy into Edge from another system. For more
+        information, see Import existing consumer keys and secrets.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/create"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, json=body)
+        if resp.status_code != 201:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def delete_app_key(self, email: str, app_name: str, app_key: str) -> None:
+        """
+        Deletes a consumer key that belongs to an app, and removes all API products
+        associated with the app. Once deleted, the consumer key cannot be used
+        to access any APIs.
+
+        After you delete a consumer key, you may want to:
+
+        - Create a new consumer key and secret for the developer app, and
+          subsequently add an API product to the key.
+
+        - Delete the developer app, if it is no longer required.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{app_key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.delete(url=url)
+        if resp.status_code != 200:
+            raise Exception(
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def get_app_key(self, email: str, app_name: str, key: str, **query_params) -> "list[str]":
+        """
+        Gets details for a consumer key for a developer app, including the key
+        and secret value, associated API products, and other information.
+        """
+
+        params = query_params
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.get(url=url, params=params)
+        if resp.status_code != 200:
+            raise Exception(
+                f"GET request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+
+    def post_app_key(self, email: str, app_name: str, key: str, body: dict, **query_params) -> "dict":
+        """
+        Enables you to perform one of the following tasks:
+
+        - Add an API product to a developer app key, enabling the app that holds
+          the key to access the API resources bundled in the API product. You can
+          also use this API to add attributes to the key. You must include all existing
+          attributes, whether or not you are updating them, as well as any new attributes
+          that you are adding. After adding the API product, you can use the same key
+          to access all API products associated with the app.
+
+        - Approve or revoke a specific consumer key for an app. Call the API with the
+          action query parameter set to approve or revoke (with no request body) and
+          set the Content-type header to application/octet-stream. If successful, the HTTP
+          status code for success is: 204 No Content
+
+        - You can approve a consumer key that is currently revoked or pending. Once
+          approved, the app can use the consumer key to access APIs. Revoking a consumer
+          key renders it unusable for the app to use to access an API.
+
+        - Note: Any access tokens associated with a revoked app key will remain active.
+          However, Apigee Edge checks the status of the app key and if set to revoked it
+          will not allow API calls to go through.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, json=body, params=query_params)
+        if resp.status_code != 200 and resp.status_code != 204:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        if resp.status_code == 204:
+            return resp
+        else:
+            return resp.json()
+
+    def put_app_key(self, email: str, app_name: str, key: str, body: dict) -> "dict":
+        """
+        Updates the allowed OAuth scopes associated with an app.
+
+        Note: Specify the complete list of scopes to apply. The specified list replaces
+        the existing scopes on the app. Therefore, to add a scope, you must specify all
+        of the existing scopes along with the added scope.
+
+        This API does not change the list of scopes in the API product(s) included in
+        the app; rather, it sets allowed list of scopes in the scopes element under the
+        apiProducts element in the attributes of the app.
+
+        Important: The specified scopes must already exist on the API product(s)
+        associated with the app. You can't arbitrarily add a scope that does not already
+        exist in an API product. For example, if the app has one API product with these
+        scopes: READ, WRITE. You can't use this API to add a new scope, such as DELETE
+        (unless the app has another product with that scope). If you do this, you'll get
+        a 400 Bad Request error. For example:
+
+        {
+          "code": "keymanagement.service.InvalidScopes",
+          "message": "Invalid scopes. Scopes must be contained in [READ, WRITE]",
+          "contexts": []
+
+        }
+
+        It would be allowed to remove one or both of the existing scopes, and later add
+        one or both back.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.put(url=url, json=body)
+        if resp.status_code != 200:
+            raise Exception(
+                f"PUT request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def delete_product_app_key_association(self, email: str, app_name: str, app_key: str, apiproduct_name: str) -> None:
+        """
+        Removes an API product from an app's consumer key, and thereby renders the app
+        unable to access the API resources defined in that API product.
+
+        Note that the consumer key itself still exists after this call. Only the
+        association of the key with the API product is removed.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{app_key}/apiproducts/{apiproduct_name}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.delete(url=url)
+        if resp.status_code != 200:
+            raise Exception(
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+
+    def post_product_app_key_association(self, email: str, app_name: str, key: str, apiproduct_name: str, **query_params) -> "dict":
+        """
+        Approves or revokes an API product for an API key. Call the API with the action
+        query parameter set to approve or revoke (with no request body) and set the
+        Content-type header to application/octet-stream. If successful, the HTTP status
+        code for success is: 204 No Content
+
+        To consume API resources defined in an API product, an app's consumer key must
+        be approved and it must also be approved for that specific API product.
+
+        Notes:
+
+        - The API product must already be associated with the app.
+
+        - Any access tokens associated with a revoked app key will remain active. However,
+          Apigee Edge checks the status of the app key and if set to revoked it will not
+          allow API calls to go through.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}/apiproducts/{apiproduct_name}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, params=query_params)
+        if resp.status_code != 204:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp   
 
 
 class UsersAPI:

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim/apigee_edge.py

@@ -18,6 +18,7 @@ from .log import log, log_method
 from .apigee_apis import (
     ApigeeNonProdCredentials,
     ApigeeClient,
+    AppKeysAPI,
     DebugSessionsAPI,
     AccessTokensAPI,
     ApiProductsAPI,
@@ -583,3 +584,13 @@ def developer_apps_api():
     config = ApigeeNonProdCredentials()
     client = ApigeeClient(config=config)
     return DeveloperAppsAPI(client=client)
+
+@pytest.fixture(scope="session")
+@log_method
+def developer_app_keys_api():
+    """
+    Authenitcated wrapper for Apigee's developer app keys API
+    """
+    config = ApigeeNonProdCredentials()
+    client = ApigeeClient(config=config)
+    return AppKeysAPI(client=client)

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim/nhsd_apim_authorization.py

@@ -48,7 +48,7 @@ class HealthcareWorkerAuthorization(UserRestrictedAuthorization):
     """
 
     access: Literal["healthcare_worker"]
-    level: Literal["aal1", "aal3"]
+    level: Literal["aal1", "aal2", "aal3"]
 
 
 

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim/pytest_nhsd_apim.py

@@ -48,7 +48,8 @@ from .apigee_edge import (
     trace,
     products_api,
     access_token_api,
-    developer_apps_api
+    developer_apps_api,
+    developer_app_keys_api
 )
 from .auth_journey import (
     _jwt_keys,

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pytest-nhsd-apim
-Version: 3.3.15
+Version: 3.4.2
 Summary: Pytest plugin accessing NHSDigital's APIM proxies
 Home-page: https://github.com/NHSDigital/pytest-nhsd-apim
 Author: Adrian Ciobanita
@@ -11,7 +11,7 @@ License: MIT
 Classifier: Framework :: Pytest
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Requires-Dist: Authlib==0.15.5
+Requires-Dist: Authlib==1.3.1
 Requires-Dist: cryptography==42.0.0
 Requires-Dist: lxml==4.9.1
 Requires-Dist: pycryptodome==3.20.0
@@ -99,6 +99,7 @@ The APIs we offer at the moment are:
 | ApiProductsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L575)  |[Overview](https://apidocs.apigee.com/docs/api-products/1/overview)|
 | DebugSessionsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L844)  |[Overview](https://apidocs.apigee.com/docs/debug-sessions/1/overview)|
 | AccessTokensAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L983)  |[Overview](https://apidocs.apigee.com/docs/oauth-20-access-tokens/1/overview)|
+| AppKeysAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L1243)  |[Overview](https://apidocs.apigee.com/docs/developer-app-keys/1/overview)|
 
 For a more detailed implementation of the available APIs please refer to the tests [here](/tests/test_apigee_apis.py).
 We will keep adding APIs with time, if you are looking for a particular APIs not listed above please feel free to open a pull request and send it to us.

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/src/pytest_nhsd_apim.egg-info/requires.txt

@@ -1,4 +1,4 @@
-Authlib==0.15.5
+Authlib==1.3.1
 cryptography==42.0.0
 lxml==4.9.1
 pycryptodome==3.20.0

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/tests/test_apigee_apis.py

@@ -1,6 +1,6 @@
 """
-The order in wich this tests are ran is important since resources are going to
-be created byt the tests in Apigee. A better way writing the tests would be to
+The order in which this tests are ran is important since resources are going to
+be created by the tests in Apigee. A better way writing of the tests would be to
 create a fixture that manages the creation and tear down of the relevant apps in
 every tests but im a bit tired now...
 """
@@ -13,6 +13,7 @@ from pytest_nhsd_apim.apigee_apis import (
     ApigeeClient,
     ApigeeNonProdCredentials,
     ApiProductsAPI,
+    AppKeysAPI,
     DebugSessionsAPI,
     DeveloperAppsAPI,
 )
@@ -320,3 +321,158 @@ class TestAccessTokenAPI:
         # 2. Delete it
         token_api = AccessTokensAPI(client=client)
         pprint.pprint(token_api.delete_token(access_token=token))
+
+
+class TestAppKeysAPI:
+    def test_create_app(self, client):
+        developer_apps = DeveloperAppsAPI(client=client)
+        body = {
+            "apiProducts": [],
+            "attributes": [
+                {"name": "ADMIN_EMAIL", "value": "lucas.fantini@nhs.net"},
+                {"name": "DisplayName", "value": "My App"},
+                {"name": "Notes", "value": "Notes for developer app"},
+                {"name": "MINT_BILLING_TYPE", "value": "POSTPAID"},
+            ],
+            "callbackUrl": "example.com",
+            "name": "myapp",
+            "scopes": [],
+            "status": "approved",
+        }
+        pprint.pprint(
+            developer_apps.create_app(email="lucas.fantini@nhs.net", body=body)
+        )
+
+    def test_post_apiproducts(self, client):
+        api_products = ApiProductsAPI(client=client)
+        body = {
+            "apiResources": ["/"],
+            "approvalType": "auto",
+            "attributes": [{"name": "access", "value": "public"}],
+            "description": "My API product",
+            "displayName": "My API product",
+            "environments": ["internal-dev"],
+            "name": "myapiproduct",
+            "proxies": ["identity-service-internal-dev"],
+            "scopes": ["scope1"],
+        }
+        pprint.pprint(api_products.post_products(body=body))
+
+    def test_create_app_key(self, client):
+        app_keys = AppKeysAPI(client=client)
+        pprint.pprint(
+            app_keys.create_app_key(
+              "lucas.fantini@nhs.net",
+              "myapp",
+              {
+                  "consumerKey": "RW3HpQ2oEGT8smAB",
+                  "consumerSecret": "J0BUbo8Scy6M90qL"
+              }
+            )
+        )
+
+    def test_get_app_key(self, client):
+        app_keys = AppKeysAPI(client=client)
+        pprint.pprint(
+            app_keys.get_app_key(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB"
+            )
+        )
+
+    def test_post_app_key(self, client):
+        app_keys = AppKeysAPI(client=client)
+        body = {
+            "apiProducts": ["myapiproduct"]
+        }
+        pprint.pprint(
+            app_keys.post_app_key(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB",
+                body
+            )
+        )
+
+    def test_put_app_key(self, client):
+        app_keys = AppKeysAPI(client=client)
+        body = {
+            "scopes": [
+                "scope1"
+            ]
+        }
+        pprint.pprint(
+            app_keys.put_app_key(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB",
+                body
+              )
+        )
+
+    def test_post_product_app_key_association(self, client):
+        app_keys = AppKeysAPI(client=client)
+        pprint.pprint(
+            app_keys.post_product_app_key_association(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB",
+                "myapiproduct",
+                action="revoke"
+            )
+        )
+        pprint.pprint(
+            app_keys.get_app_key(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB"
+            )
+        )
+
+    def test_post_app_key_params(self, client):
+        app_keys = AppKeysAPI(client=client)
+        pprint.pprint(
+            app_keys.post_app_key(
+                email="lucas.fantini@nhs.net",
+                app_name="myapp",
+                key="RW3HpQ2oEGT8smAB",
+                body=None,
+                action="revoke"
+            )
+        )
+        pprint.pprint(
+            app_keys.get_app_key(
+                "lucas.fantini@nhs.net",
+                "myapp",
+                "RW3HpQ2oEGT8smAB"
+            )
+        )
+
+    def test_delete_product_app_key_association(self, client):
+        app_keys = AppKeysAPI(client=client)
+        pprint.pprint(
+            app_keys.delete_product_app_key_association(
+                email="lucas.fantini@nhs.net",
+                app_name="myapp",
+                app_key="RW3HpQ2oEGT8smAB",
+                apiproduct_name="myapiproduct"
+            )
+        )
+
+    def test_delete_product_by_name(self, client):
+        api_products = ApiProductsAPI(client=client)
+        pprint.pprint(
+            api_products.delete_product_by_name(
+                product_name="myapiproduct"
+            )
+        )
+
+    def test_delete_app_by_name(self, client):
+        developer_apps = DeveloperAppsAPI(client=client)
+        pprint.pprint(
+            developer_apps.delete_app_by_name(
+                email="lucas.fantini@nhs.net",
+                app_name="myapp"
+            )
+        )

{pytest_nhsd_apim-3.3.15 → pytest_nhsd_apim-3.4.2}/tests/test_examples.py

@@ -208,37 +208,36 @@ def test_patient_access_level_with_parametrization(
 # We are on our second generation of mock identity provider for
 # healthcare_worker access (CIS2). This allows you to log-in using a
 # username.
-MOCK_CIS2_USERNAMES = ["656005750104", "656005750105", "656005750106", "656005750107"]
+MOCK_CIS2_USERNAMES = {
+    "aal1": ["656005750110"],
+    "aal2": ["656005750109", "656005750111", "656005750112"],
+    "aal3": ["656005750104", "656005750105", "656005750106"],
+}
 
 
-# You can make the parametrization less verbose by using a function to
-# construct each pytest.param!
-def cis2_aal3_mark(username: str):
-    return pytest.param(
+# Create a list of pytest.param for each combination of username and level for combined auth
+combined_auth_params = [
+    pytest.param(
+        username, level,
         marks=pytest.mark.nhsd_apim_authorization(
             access="healthcare_worker",
-            level="aal3",
+            level=level,
             login_form={"username": username},
         ),
     )
+    for level, usernames in MOCK_CIS2_USERNAMES.items()
+    for username in usernames
+]
 
 
-# It's getting pretty abstract now, but we're accessing the same
-# endpoint using access tokens granted to four different mock
-# users. Each is a valid mock user with aal3 credentials and so is
-# granted a token we can use.
-@pytest.mark.parametrize(
-    (),
-    [cis2_aal3_mark(username) for username in MOCK_CIS2_USERNAMES],
-)
+@pytest.mark.parametrize("username, level", combined_auth_params)
 def test_healthcare_worker_user_restricted_combined_auth(
-    nhsd_apim_proxy_url, nhsd_apim_auth_headers
+    nhsd_apim_proxy_url, nhsd_apim_auth_headers, username, level
 ):
-    resp0 = requests.get(nhsd_apim_proxy_url + "/test-auth/nhs-cis2/aal3")
+    url = f"{nhsd_apim_proxy_url}/test-auth/nhs-cis2/{level}"
+    resp0 = requests.get(url)
     assert resp0.status_code == 401
-    resp1 = requests.get(
-        nhsd_apim_proxy_url + "/test-auth/nhs-cis2/aal3", headers=nhsd_apim_auth_headers
-    )
+    resp1 = requests.get(url, headers=nhsd_apim_auth_headers)
     assert resp1.status_code == 200
 
 
@@ -249,21 +248,31 @@ def test_healthcare_worker_user_restricted_combined_auth(
 # doesn't look too different. "combined" authentication is the default for this
 # library. To use separate authentication instead, add authentication="separate"
 # to the nhsd_apim_authorization mark.
-@pytest.mark.nhsd_apim_authorization(
-    {
-        "access": "healthcare_worker",
-        "level": "aal3",
-        "login_form": {"username": "aal3"},
-        "authentication": "separate",
-    }
-)
+
+# Create a combined list for separate authentication testing
+separate_auth_params = [
+    pytest.param(
+        username, level,
+        marks=pytest.mark.nhsd_apim_authorization(
+            access="healthcare_worker",
+            level=level,
+            login_form={"username": username},
+            authentication="separate",
+        ),
+    )
+    for level, usernames in MOCK_CIS2_USERNAMES.items()
+    for username in usernames
+]
+
+
+@pytest.mark.parametrize("username, level", separate_auth_params)
 def test_healthcare_work_user_restricted_separate_auth(
-    nhsd_apim_proxy_url, nhsd_apim_auth_headers
+    nhsd_apim_proxy_url, nhsd_apim_auth_headers, username, level
 ):
-    aal3_url = f"{nhsd_apim_proxy_url}/test-auth/nhs-cis2/aal3"
-    resp0 = requests.get(aal3_url)
+    aal_url = f"{nhsd_apim_proxy_url}/test-auth/nhs-cis2/{level}"
+    resp0 = requests.get(aal_url)
     assert resp0.status_code == 401
-    resp1 = requests.get(aal3_url, headers=nhsd_apim_auth_headers)
+    resp1 = requests.get(aal_url, headers=nhsd_apim_auth_headers)
     assert resp1.status_code == 200
 
 
@@ -439,4 +448,4 @@ def test_trace(nhsd_apim_proxy_url, nhsd_apim_auth_headers, trace):
 
     trace.delete_debugsession_by_name(session_name)
 
-    assert status_code_from_trace == "200"
+    assert status_code_from_trace == "200"