pytest-nhsd-apim 3.3.6__py3-none-any.whl → 5.0.15__py3-none-any.whl

pytest_nhsd_apim/apigee_apis.py

@@ -5,7 +5,8 @@ import jwt
 import pyotp
 import requests
 from jwt import ExpiredSignatureError
-from pydantic import BaseSettings, root_validator
+from pydantic import model_validator
+from pydantic_settings import BaseSettings
 
 
 class ApigeeProdCredentials(BaseSettings):
@@ -38,29 +39,27 @@ class ApigeeProdCredentials(BaseSettings):
     apigee_nhsd_prod_password: Optional[str] = None
     apigee_nhsd_prod_passcode: Optional[str] = None
     apigee_access_token: Optional[str] = None
+    auth_method: Optional[str] = None
 
-    @root_validator(pre=True)
+    @model_validator(mode="before")
     def check_credentials_config(cls, values):
         print(values)
         """Checks for the right set of credentials"""
         if all(
             [
-                values.get(key)
-                for key in [
-                    "apigee_nhsd_prod_username",
-                    "apigee_nhsd_prod_password",
-                    "auth_server",
-                ]
+                values.get("apigee_nhsd_prod_username"),
+                values.get("apigee_nhsd_prod_password"),
+                values.get("auth_server"),
             ]
         ):
             values["auth_method"] = "saml"
             return values
         elif all(
-            [values.get(key) for key in ["auth_server", "apigee_nhsd_prod_passcode"]]
+            [values.get("auth_server"), values.get("apigee_nhsd_prod_passcode")]
         ):
             values["auth_method"] = "saml"
             return values
-        elif values["access_token"]:
+        elif values.get("apigee_access_token"):
             values["auth_method"] = "access_token"
             return values
         else:
@@ -101,39 +100,34 @@ class ApigeeProdCredentials(BaseSettings):
 
 class ApigeeNonProdCredentials(BaseSettings):
     auth_server: str = "login.apigee.com"
-    apigee_nhsd_nonprod_username: Optional[str]
-    apigee_nhsd_nonprod_password: Optional[str]
-    apigee_nhsd_nonprod_otp_key: Optional[str]
-    apigee_access_token: Optional[str]
+    apigee_nhsd_nonprod_username: Optional[str] = None
+    apigee_nhsd_nonprod_password: Optional[str] =  None
+    apigee_nhsd_nonprod_otp_key: Optional[str] = None
+    apigee_access_token: Optional[str] = None
+    auth_method: Optional[str] = None
 
-    @root_validator
+    @model_validator(mode='before')
     def check_credentials_config(cls, values):
         """Checks for the right set of credentials"""
         if all(
             [
-                values.get(key)
-                for key in [
-                    "apigee_nhsd_nonprod_username",
-                    "apigee_nhsd_nonprod_password",
-                    "apigee_nhsd_nonprod_otp_key",
-                ]
+                values.get("apigee_nhsd_nonprod_username"),
+                values.get("apigee_nhsd_nonprod_password"),
+                values.get("apigee_nhsd_nonprod_otp_key"),
             ]
         ):
             values["auth_method"] = "saml"
             return values
         elif all(
             [
-                values.get(key)
-                for key in [
-                    "auth_server",
-                    "apigee_nhsd_nonprod_password",
-                    "apigee_nhsd_nonprod_username",
-                ]
+                values.get("auth_server"),
+                values.get("apigee_nhsd_nonprod_password"),
+                values.get("apigee_nhsd_nonprod_username"),
             ]
         ):
             values["auth_method"] = "saml"
             return values
-        elif values["apigee_access_token"]:
+        elif values.get("apigee_access_token"):
             values["auth_method"] = "access_token"
             return values
         else:
@@ -476,7 +470,7 @@ class DeveloperAppsAPI:
         resp = self.client.delete(url=url)
         if resp.status_code != 200:
             raise Exception(
-                f"GET request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
             )
         return resp.json()
 
@@ -1241,11 +1235,218 @@ class UserRolesAPI:
 
 
 class AppKeysAPI:
+    """
+    Manage consumer credentials for apps associated with individual developers.
+
+    Credential pairs consisting of consumer key and consumer secret are provisioned
+    by Apigee Edge to apps for specific API products. Apigee Edge maintains the
+    relationship between consumer keys and API products, enabling API products to be
+    added to and removed from consumer keys. A single consumer key can be used to
+    access multiple API products. Keys may be manually or automatically approved for
+    API products--how they are issued depends on the API product configuration. A key
+    must approved and approved for an API product to be capable of accessing any of
+    the URIs defined in the API product.
+    """
+
     def __init__(self, client: RestClient) -> None:
         self.client = client
-        raise NotImplementedError(
-            f"Ugh! this is awkward, this API is not available yet...feel free to give us a shout or to open a PR https://github.com/NHSDigital/pytest-nhsd-apim/blob/0cf274850a8fe61e17f214380496ba09fd6cc973/src/pytest_nhsd_apim/apigee_apis.py#L1142"
-        )
+
+    def create_app_key(self, email: str, app_name: str, body: dict) -> "dict":
+        """
+        Creates a custom consumer key and secret for a developer app.
+        This is particularly useful if you want to migrate existing consumer
+        keys/secrets to Edge from another system.
+
+        After creating the consumer key and secret, associate the key with an
+        API product, as described in Add API Product to Key.
+
+        Consumer keys and secrets can contain letters, numbers, underscores,
+        and hyphens. No other special characters are allowed.
+
+        Note: Be aware of the following size limits on API keys. By staying
+        within these limits, you help avoid service disruptions.
+
+        - Consumer key (API key) size: 2 KB
+
+        - Consumer secret size: 2 KB
+
+        If a consumer key and secret already exist, you can either keep them
+        or delete them, as described in Delete Key for a Developer App.
+
+        In addition, you can use this API if you have existing API keys and
+        secrets that you want to copy into Edge from another system. For more
+        information, see Import existing consumer keys and secrets.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/create"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, json=body)
+        if resp.status_code != 201:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def delete_app_key(self, email: str, app_name: str, app_key: str) -> None:
+        """
+        Deletes a consumer key that belongs to an app, and removes all API products
+        associated with the app. Once deleted, the consumer key cannot be used
+        to access any APIs.
+
+        After you delete a consumer key, you may want to:
+
+        - Create a new consumer key and secret for the developer app, and
+          subsequently add an API product to the key.
+
+        - Delete the developer app, if it is no longer required.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{app_key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.delete(url=url)
+        if resp.status_code != 200:
+            raise Exception(
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def get_app_key(self, email: str, app_name: str, key: str, **query_params) -> "list[str]":
+        """
+        Gets details for a consumer key for a developer app, including the key
+        and secret value, associated API products, and other information.
+        """
+
+        params = query_params
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.get(url=url, params=params)
+        if resp.status_code != 200:
+            raise Exception(
+                f"GET request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+
+    def post_app_key(self, email: str, app_name: str, key: str, body: dict, **query_params) -> "dict":
+        """
+        Enables you to perform one of the following tasks:
+
+        - Add an API product to a developer app key, enabling the app that holds
+          the key to access the API resources bundled in the API product. You can
+          also use this API to add attributes to the key. You must include all existing
+          attributes, whether or not you are updating them, as well as any new attributes
+          that you are adding. After adding the API product, you can use the same key
+          to access all API products associated with the app.
+
+        - Approve or revoke a specific consumer key for an app. Call the API with the
+          action query parameter set to approve or revoke (with no request body) and
+          set the Content-type header to application/octet-stream. If successful, the HTTP
+          status code for success is: 204 No Content
+
+        - You can approve a consumer key that is currently revoked or pending. Once
+          approved, the app can use the consumer key to access APIs. Revoking a consumer
+          key renders it unusable for the app to use to access an API.
+
+        - Note: Any access tokens associated with a revoked app key will remain active.
+          However, Apigee Edge checks the status of the app key and if set to revoked it
+          will not allow API calls to go through.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, json=body, params=query_params)
+        if resp.status_code != 200 and resp.status_code != 204:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        if resp.status_code == 204:
+            return resp
+        else:
+            return resp.json()
+
+    def put_app_key(self, email: str, app_name: str, key: str, body: dict) -> "dict":
+        """
+        Updates the allowed OAuth scopes associated with an app.
+
+        Note: Specify the complete list of scopes to apply. The specified list replaces
+        the existing scopes on the app. Therefore, to add a scope, you must specify all
+        of the existing scopes along with the added scope.
+
+        This API does not change the list of scopes in the API product(s) included in
+        the app; rather, it sets allowed list of scopes in the scopes element under the
+        apiProducts element in the attributes of the app.
+
+        Important: The specified scopes must already exist on the API product(s)
+        associated with the app. You can't arbitrarily add a scope that does not already
+        exist in an API product. For example, if the app has one API product with these
+        scopes: READ, WRITE. You can't use this API to add a new scope, such as DELETE
+        (unless the app has another product with that scope). If you do this, you'll get
+        a 400 Bad Request error. For example:
+
+        {
+          "code": "keymanagement.service.InvalidScopes",
+          "message": "Invalid scopes. Scopes must be contained in [READ, WRITE]",
+          "contexts": []
+
+        }
+
+        It would be allowed to remove one or both of the existing scopes, and later add
+        one or both back.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.put(url=url, json=body)
+        if resp.status_code != 200:
+            raise Exception(
+                f"PUT request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+    
+    def delete_product_app_key_association(self, email: str, app_name: str, app_key: str, apiproduct_name: str) -> None:
+        """
+        Removes an API product from an app's consumer key, and thereby renders the app
+        unable to access the API resources defined in that API product.
+
+        Note that the consumer key itself still exists after this call. Only the
+        association of the key with the API product is removed.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{app_key}/apiproducts/{apiproduct_name}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.delete(url=url)
+        if resp.status_code != 200:
+            raise Exception(
+                f"DELETE request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp.json()
+
+    def post_product_app_key_association(self, email: str, app_name: str, key: str, apiproduct_name: str, **query_params) -> "dict":
+        """
+        Approves or revokes an API product for an API key. Call the API with the action
+        query parameter set to approve or revoke (with no request body) and set the
+        Content-type header to application/octet-stream. If successful, the HTTP status
+        code for success is: 204 No Content
+
+        To consume API resources defined in an API product, an app's consumer key must
+        be approved and it must also be approved for that specific API product.
+
+        Notes:
+
+        - The API product must already be associated with the app.
+
+        - Any access tokens associated with a revoked app key will remain active. However,
+          Apigee Edge checks the status of the app key and if set to revoked it will not
+          allow API calls to go through.
+        """
+
+        resource = f"/developers/{email}/apps/{app_name}/keys/{key}/apiproducts/{apiproduct_name}"
+        url = f"{self.client.base_url}{resource}"
+        resp = self.client.post(url=url, params=query_params)
+        if resp.status_code != 204:
+            raise Exception(
+                f"POST request to {resp.url} failed with status_code: {resp.status_code}, Reason: {resp.reason} and Content: {resp.text}"
+            )
+        return resp   
 
 
 class UsersAPI:

pytest_nhsd_apim/apigee_edge.py

@@ -5,6 +5,7 @@ This includes app setup/teardown, getting proxy info (proxy-under-test
 + identity-service of choice), getting products, registering them with
 the test app.
 """
+
 import functools
 import warnings
 from datetime import datetime
@@ -18,10 +19,11 @@ from .log import log, log_method
 from .apigee_apis import (
     ApigeeNonProdCredentials,
     ApigeeClient,
+    AppKeysAPI,
     DebugSessionsAPI,
     AccessTokensAPI,
     ApiProductsAPI,
-    DeveloperAppsAPI
+    DeveloperAppsAPI,
 )
 
 APIGEE_BASE_URL = "https://api.enterprise.apigee.com/v1/"
@@ -47,6 +49,7 @@ def _apigee_app_base_url(nhsd_apim_config):
     url = APIGEE_BASE_URL + f"organizations/{org}/developers/{dev}/apps"
     return url
 
+
 @pytest.fixture(scope="session")
 @log_method
 def _apigee_app_base_url_no_dev(nhsd_apim_config):
@@ -54,14 +57,18 @@ def _apigee_app_base_url_no_dev(nhsd_apim_config):
     url = APIGEE_BASE_URL + f"organizations/{org}/apps"
     return url
 
+
 @functools.lru_cache(maxsize=None)
 @log_method
 def _get_proxy_json(session, nhsd_apim_proxy_url):
     """
     Query the apigee edge API to get data about the desired proxy, in particular its current deployment.
     """
-    deployment_err_msg = "\n\tInvalid Access Token: Ensure APIGEE_ACCESS_TOKEN is valid."
-    deployment_resp = session.get(nhsd_apim_proxy_url + "/deployments")
+    deployment_err_msg = (
+        "\n\tFailed to retrieve the proxy deployment data. "
+        + "Please check the validity of the APIGEE credentials and token as well as any headers."
+    )
+    deployment_resp = session.get(f"{nhsd_apim_proxy_url}/deployments")
     assert deployment_resp.status_code == 200, deployment_err_msg.format(deployment_resp.content)
     deployment_json = deployment_resp.json()
 
@@ -279,7 +286,9 @@ _TEST_APP = None
 
 @pytest.fixture(scope="session")
 @log_method
-def nhsd_apim_test_app(_create_test_app, _apigee_edge_session, _apigee_app_base_url, _apigee_app_base_url_no_dev, _test_app_id) -> Callable:
+def nhsd_apim_test_app(
+    _create_test_app, _apigee_edge_session, _apigee_app_base_url, _apigee_app_base_url_no_dev, _test_app_id
+) -> Callable:
     """
     A Callable that gets you the current state of the test app.
     """
@@ -310,7 +319,7 @@ def nhsd_apim_test_app(_create_test_app, _apigee_edge_session, _apigee_app_base_
             return _TEST_APP
         if _test_app_id:
             resp = _apigee_edge_session.get(_apigee_app_base_url_no_dev + "/" + _test_app_id)
-        else: 
+        else:
             resp = _apigee_edge_session.get(_apigee_app_base_url + "/" + _create_test_app["name"])
         _TEST_APP = resp.json()
         return _TEST_APP
@@ -318,8 +327,8 @@ def nhsd_apim_test_app(_create_test_app, _apigee_edge_session, _apigee_app_base_
     return app
 
 
-@log_method
 @pytest.fixture(scope="session")
+@log_method
 def nhsd_apim_unsubscribe_test_app_from_all_products(
     nhsd_apim_test_app, _apigee_edge_session, _apigee_app_base_url, _test_app_id
 ):
@@ -464,7 +473,7 @@ def _create_test_app(
     else:
         app = {
             "name": f"apim-auto-{uuid4()}",
-            "callbackUrl": "https://example.org/callback",
+            "callbackUrl": "https://google.com/callback",
             "attributes": [{"name": "jwks-resource-url", "value": jwt_public_key_url}],
         }
         create_resp = _apigee_edge_session.post(_apigee_app_base_url, json=app)
@@ -508,7 +517,7 @@ def _create_function_scoped_test_app(
     else:
         app = {
             "name": f"apim-auto-{uuid4()}",
-            "callbackUrl": "https://example.org/callback",
+            "callbackUrl": "https://google.com/callback",
             "attributes": [{"name": "jwks-resource-url", "value": jwt_public_key_url}],
         }
         create_resp = _apigee_edge_session.post(_apigee_app_base_url, json=app)
@@ -534,6 +543,7 @@ def _test_app_callback_url(_create_test_app):
 def _test_app_id(nhsd_apim_config):
     return nhsd_apim_config["APIGEE_APP_ID"]
 
+
 @pytest.fixture()
 @log_method
 def trace(_apigee_proxy):
@@ -541,15 +551,16 @@ def trace(_apigee_proxy):
     Authenticated wrapper around the DebugSessionsAPI class
     """
     config = ApigeeNonProdCredentials()
-    client =  ApigeeClient(config=config)
+    client = ApigeeClient(config=config)
     debug = DebugSessionsAPI(
         client=client,
         env_name=_apigee_proxy["environment"],
         api_name=_apigee_proxy["name"],
-        revision_number=_apigee_proxy["revision"]
+        revision_number=_apigee_proxy["revision"],
     )
     return debug
 
+
 @pytest.fixture(scope="session")
 @log_method
 def access_token_api():
@@ -571,6 +582,7 @@ def products_api():
     client = ApigeeClient(config=config)
     return ApiProductsAPI(client=client)
 
+
 @pytest.fixture(scope="session")
 @log_method
 def developer_apps_api():
@@ -580,3 +592,14 @@ def developer_apps_api():
     config = ApigeeNonProdCredentials()
     client = ApigeeClient(config=config)
     return DeveloperAppsAPI(client=client)
+
+
+@pytest.fixture(scope="session")
+@log_method
+def developer_app_keys_api():
+    """
+    Authenitcated wrapper for Apigee's developer app keys API
+    """
+    config = ApigeeNonProdCredentials()
+    client = ApigeeClient(config=config)
+    return AppKeysAPI(client=client)

pytest_nhsd_apim/identity_service.py

@@ -1,23 +1,24 @@
 """
 This is a self-contained wrapper for a bunch of authentication
-methods in APIM. NOT ONLY the identity service is taken into 
-account in here, you will also find authenticators for keycloak 
-and more... Feel free to keep adding authenticators here and 
+methods in APIM. NOT ONLY the identity service is taken into
+account in here, you will also find authenticators for keycloak
+and more... Feel free to keep adding authenticators here and
 maybe move this file to its own library.
 """
 
 import uuid
-from time import time
-from typing import Literal
-
-import jwt
-from pydantic import BaseModel, HttpUrl, validator
 from abc import ABC, abstractmethod
+from time import time
 from typing import Literal
 from urllib.parse import parse_qs, urlparse
 
+import jwt
 import requests
 from lxml import html
+from pydantic import BaseModel, HttpUrl, validator, AfterValidator
+from typing_extensions import Annotated
+
+HttpUrlString = Annotated[HttpUrl, AfterValidator(lambda v: str(v).rstrip("/"))]
 
 
 #### Config models
@@ -26,14 +27,22 @@ class KeycloakConfig(BaseModel):
 
     realm: Literal[
         "Cis2-mock-internal-dev",
+        "Cis2-mock-internal-dev-sandbox",
         "Cis2-mock-internal-qa",
+        "Cis2-mock-internal-qa-sandbox",
+        "Cis2-mock-ref",
+        "Cis2-mock-dev",
         "Cis2-mock-sandbox",
         "Cis2-mock-int",
         "NHS-Login-mock-internal-dev",
+        "NHS-Login-mock-internal-dev-sandbox",
         "NHS-Login-mock-internal-qa",
+        "NHS-Login-mock-internal-qa-sandbox",
+        "NHS-Login-mock-ref",
+        "NHS-Login-mock-dev",
         "NHS-Login-mock-sandbox",
         "NHS-Login-mock-int",
-        "Api-producers",  # just in case u want to get a cheeky token for proxygen ;)
+        "api-producers",  # just in case u want to get a cheeky token for proxygen ;)
     ]
 
     @property
@@ -47,7 +56,8 @@ class KeycloakConfig(BaseModel):
 class KeycloakUserConfig(KeycloakConfig):
     client_id: str
     client_secret: str
-    redirect_uri: HttpUrl = "https://example.org"
+    scope: str = "openid"
+    redirect_uri: HttpUrlString = "https://google.com"
     login_form: dict
 
 
@@ -57,7 +67,7 @@ class AuthorizationCodeConfig(BaseModel):
     def _identity_service_base_url(env):
         prefix = "https://"
         host = "api.service.nhs.uk"
-        path = "/oauth2-mock"  # lets just support mock auth v2...
+        path = "/oauth2-mock"
         if env != "prod":
             prefix += f"{env}."
         return f"{prefix}{host}{path}"
@@ -68,36 +78,23 @@ class AuthorizationCodeConfig(BaseModel):
         "internal-dev-sandbox",
         "internal-qa-sandbox",
         "ref",
+        "sandbox",
+        "dev",
         "int",
         "prod",
     ] = "internal-dev"
     org: Literal["nhsd-nonprod", "nhsd-prod"] = "nhsd-nonprod"
-    callback_url: HttpUrl
-    identity_service_base_url: HttpUrl = _identity_service_base_url(environment)
+    callback_url: HttpUrlString
+    identity_service_base_url: HttpUrlString = _identity_service_base_url(environment)
     client_id: str
     client_secret: str
     scope: Literal["nhs-login", "nhs-cis2"]
     login_form: dict
 
     @validator("environment")
-    # The dream is to suport all the auth methods in all the environments
-    # however this is only true for client_credentials at the time of writing
-    # this library, we dont have at the moment a complete map between identity
-    # service deployment environments and keycloak realms so authorization_code
-    # and token_exchange are only supported in internal-dev, internal-qa and
-    # int. We use validators to handle this and when the moment comes we can
-    # just delete them.
     def validate_environment(cls, environment):
-        if environment in [
-            "internal-dev-sandbox",
-            "internal-qa-sandbox",
-            "sandbox",
-            "ref",
-            "prod",
-        ]:
-            raise ValueError(
-                f"This is awkward.. we dont support auth_code flow for the {environment} just yet"
-            )
+        if environment == "prod":
+            raise ValueError(f"We dont support testing in the production environment")
         return environment
 
 
@@ -118,6 +115,8 @@ class ClientCredentialsConfig(BaseModel):
         "internal-dev-sandbox",
         "internal-qa-sandbox",
         "ref",
+        "dev",
+        "sandbox",
         "int",
         "prod",
     ] = "internal-dev"
@@ -125,7 +124,7 @@ class ClientCredentialsConfig(BaseModel):
     client_id: str
     jwt_private_key: str
     jwt_kid: str
-    identity_service_base_url: HttpUrl = _identity_service_base_url(environment)
+    identity_service_base_url: HttpUrlString = _identity_service_base_url(environment)
 
     def encode_jwt(self):
         url = f"{self.identity_service_base_url}/token"
@@ -137,9 +136,7 @@ class ClientCredentialsConfig(BaseModel):
             "exp": int(time()) + 300,  # 5 minutes in the future
         }
         additional_headers = {"kid": self.jwt_kid}
-        client_assertion = jwt.encode(
-            claims, self.jwt_private_key, algorithm="RS512", headers=additional_headers
-        )
+        client_assertion = jwt.encode(claims, self.jwt_private_key, algorithm="RS512", headers=additional_headers)
         return client_assertion
 
 
@@ -151,6 +148,7 @@ class TokenExchangeConfig(ClientCredentialsConfig):
 class KeycloakSignedJWTConfig:
     pass
 
+
 # currently only targets AOS environment
 class NHSLoginConfig(BaseModel):
     """Config needed to authenticate using NHS Login"""
@@ -160,14 +158,14 @@ class NHSLoginConfig(BaseModel):
         self.nhs_login_base_url = openid_config["issuer"]
 
         well_known_jwks: list = requests.get(openid_config["jwks_uri"]).json()
-        well_known_key = well_known_jwks['keys'].pop()
+        well_known_key = well_known_jwks["keys"].pop()
         self.jwt_kid = well_known_key["kid"]
         self.alg = well_known_key["alg"]
 
         super().__init__(**kwargs)
 
-    callback_url: HttpUrl = "https://nhsd-apim-testing-int-ns.herokuapp.com/nhslogin/callback"
-    nhs_login_base_url: HttpUrl
+    callback_url: HttpUrlString = "https://nhsd-apim-testing-int-ns.herokuapp.com/nhslogin/callback"
+    nhs_login_base_url: HttpUrlString
     client_id: str = "APIM-1"
     jwt_private_key: str
     jwt_kid: str
@@ -185,16 +183,14 @@ class NHSLoginConfig(BaseModel):
             "exp": int(time()) + 300,  # 5 minutes in the future
         }
         additional_headers = {"kid": self.jwt_kid}
-        client_assertion = jwt.encode(
-            claims, self.jwt_private_key, algorithm=self.alg, headers=additional_headers
-        )
+        client_assertion = jwt.encode(claims, self.jwt_private_key, algorithm=self.alg, headers=additional_headers)
         return client_assertion
-    
 
 
 class BananaAuthenticatorConfig:  # Placeholder
     pass
 
+
 ### Authenticators
 class Authenticator(ABC):
     """Defines the interface"""
@@ -264,9 +260,7 @@ class AuthorizationCodeAuthenticator(Authenticator):
             },
         )
         if resp.status_code != 200:
-            raise RuntimeError(
-                f"{auth_url} request returned {resp.status_code}: {resp.text}"
-            )
+            raise RuntimeError(f"{auth_url} request returned {resp.status_code}: {resp.text}")
         return resp
 
     @staticmethod
@@ -300,9 +294,7 @@ class AuthorizationCodeAuthenticator(Authenticator):
         form_submission_data,
     ):
         form_submit_url = authorize_form.action or authorize_response.request.url
-        resp = session.request(
-            authorize_form.method, form_submit_url, data=form_submission_data
-        )
+        resp = session.request(authorize_form.method, form_submit_url, data=form_submission_data)
         # TODO: Investigate why when using the fixtures it returns 404 and when
         # using with external credentials returns 200
         # if resp.status_code != 200:
@@ -313,9 +305,7 @@ class AuthorizationCodeAuthenticator(Authenticator):
 
     @staticmethod
     def _get_auth_code_from_mock_auth(response_identity_service_login):
-        qs = urlparse(
-            response_identity_service_login.history[-1].headers["Location"]
-        ).query
+        qs = urlparse(response_identity_service_login.history[-1].headers["Location"]).query
         auth_code = parse_qs(qs)["code"]
         if isinstance(auth_code, list):
             # in case there's multiple, this was a bug at one stage
@@ -337,16 +327,12 @@ class AuthorizationCodeAuthenticator(Authenticator):
             self.config.scope,
         )
 
-        authorize_form = self._get_authorization_form(
-            authorize_response.content.decode()
-        )
+        authorize_form = self._get_authorization_form(authorize_response.content.decode())
         # 2. Parse the login page.  For keycloak this presents an
         # HTML form, which must be filled in with valid data.  The tester
         # can submits their login data with the `login_form` field.
 
-        form_submission_data = self._get_authorize_form_submission_data(
-            authorize_form, self.config.login_form
-        )
+        form_submission_data = self._get_authorize_form_submission_data(authorize_form, self.config.login_form)
 
         # form_submission_data["username"] = 656005750104
         #     # And here we inject a valid mock username for keycloak.
@@ -423,7 +409,7 @@ class KeycloakUserAuthenticator(Authenticator):
             params={
                 "response_type": "code",
                 "client_id": self.config.client_id,
-                "scope": "openid",
+                "scope": self.config.scope,
                 "redirect_uri": self.config.redirect_uri,
             },
         )
@@ -509,6 +495,7 @@ class NHSLoginSandpitAuthenticator(Authenticator):
 
 class NHSLoginAosAuthenticator(Authenticator):
     """Authenticates you against NHS-Login aos environment"""
+
     # This is only partially implemented. See below for usage:
     # https://nhsd-confluence.digital.nhs.uk/display/APM/KOP-085+Generating+NHS+login+ID+tokens
 

pytest_nhsd_apim/nhsd_apim_authorization.py

@@ -48,7 +48,7 @@ class HealthcareWorkerAuthorization(UserRestrictedAuthorization):
     """
 
     access: Literal["healthcare_worker"]
-    level: Literal["aal1", "aal3"]
+    level: Literal["aal1", "aal2", "aal3"]
 
 
 

pytest_nhsd_apim/pytest_nhsd_apim.py

@@ -48,7 +48,8 @@ from .apigee_edge import (
     trace,
     products_api,
     access_token_api,
-    developer_apps_api
+    developer_apps_api,
+    developer_app_keys_api
 )
 from .auth_journey import (
     _jwt_keys,

pytest_nhsd_apim/secrets.py

@@ -22,12 +22,23 @@ _SESSION = requests.session()
 
 @pytest.fixture()
 @log_method
-def _mock_jwks_api_key(_apigee_app_base_url, _apigee_edge_session, test_app, apigee_environment, _test_app_id):
+def _mock_jwks_api_key(
+    _apigee_app_base_url,
+    _apigee_edge_session,
+    test_app,
+    apigee_environment,
+    _test_app_id,
+):
     # Apps in prod Apigee shouldn't rely on mock-jwks for their api key
-    if apigee_environment in ["int", "prod"]: return ""
+    if apigee_environment in ["dev", "sandbox", "int", "prod"]:
+        return ""
 
     creds = get_app_credentials_for_product(
-        _apigee_app_base_url, _apigee_edge_session, test_app(), f"mock-jwks-{apigee_environment}", _test_app_id
+        _apigee_app_base_url,
+        _apigee_edge_session,
+        test_app(),
+        f"mock-jwks-{apigee_environment}",
+        _test_app_id,
     )
     return creds["consumerKey"]
 

pytest_nhsd_apim/token_cache.py

@@ -20,7 +20,14 @@ class _TokenCache:
             # only present on app-restricted tokens.  we can inject
             # this ourselves. Assume 5 seconds ago, probably was more
             # recently
-            token_data["issued_at"] = time() - 5000
+            token_data["issued_at"] = (int(time()) * 1000) - 5000
+
+        if not self.is_time_in_milliseconds(token_data["issued_at"]):
+            token_data["issued_at"] = int(token_data["issued_at"]) * 1000
+
+        if not self.is_expiry_in_milliseconds(token_data["expires_in"]):
+            token_data["expires_in"] = int(token_data["expires_in"]) * 1000
+        
         self._cache[key] = token_data
 
     @log_method
@@ -33,18 +40,24 @@ class _TokenCache:
 
         old_token_data = self._cache[key]
         grace_period_seconds = 5
-        now_ish = int(time()) + grace_period_seconds
+        now_ish = (int(time()) + grace_period_seconds) * 1000
 
         # issued_at is epoch_time in milliseconds
         # but expires_in is in seconds
         # => need factor of 1000 in this sum.
-        expiry_time = int(old_token_data["issued_at"]) + 1000 * int(
-            old_token_data["expires_in"]
-        )
+        
+        expiry_time = int(old_token_data["issued_at"]) + int(old_token_data["expires_in"])
         if now_ish > expiry_time:
             self._cache.pop(key)
             return None
         return old_token_data
+    
+    def is_time_in_milliseconds(self, time_value):
+        return int(time_value) > 10**11 #Current time in secs not go over 11 digits
+    
+    def is_expiry_in_milliseconds(self, expiry_value):
+        return int(expiry_value) > 86400 #Assuming seconds not go higher than 24hrs
+        
 
 
 _CACHES = {}

{pytest_nhsd_apim-3.3.6.dist-info → pytest_nhsd_apim-5.0.15.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: pytest-nhsd-apim
-Version: 3.3.6
+Version: 5.0.15
 Summary: Pytest plugin accessing NHSDigital's APIM proxies
 Home-page: https://github.com/NHSDigital/pytest-nhsd-apim
 Author: Adrian Ciobanita
@@ -11,18 +11,33 @@ License: MIT
 Classifier: Framework :: Pytest
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Requires-Dist: Authlib (==0.15.5)
-Requires-Dist: cryptography (<42.0.0,===36.0.1)
-Requires-Dist: lxml (==4.9.1)
-Requires-Dist: pycryptodome (==3.13.0)
-Requires-Dist: PyJWT (==2.3.0)
-Requires-Dist: pyotp (==2.6.0)
-Requires-Dist: pytest (==6.2.5)
-Requires-Dist: requests (==2.27.1)
-Requires-Dist: toml (==0.10.2)
-Requires-Dist: typing-extensions (==4.3.0)
-Requires-Dist: pydantic (==1.9.1)
-Requires-Dist: wheel (<0.39.0,===0.37.1)
+Requires-Dist: Authlib==1.6.1
+Requires-Dist: cryptography==44.0.1
+Requires-Dist: lxml==5.3.1
+Requires-Dist: pycryptodome==3.20.0
+Requires-Dist: PyJWT==2.8.0
+Requires-Dist: pyotp==2.9.0
+Requires-Dist: pytest==8.2.0
+Requires-Dist: requests==2.32.0
+Requires-Dist: toml==0.10.2
+Requires-Dist: typing-extensions==4.12.2
+Requires-Dist: pydantic==2.9.2
+Requires-Dist: wheel<0.45.0,===0.37.1
+Requires-Dist: pydantic-settings==2.2.1
+Requires-Dist: setuptools==80.0.1
+Requires-Dist: urllib3==2.6.1
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license
+Dynamic: maintainer
+Dynamic: maintainer-email
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
 
 # pytest-nhsd-apim
 
@@ -99,6 +114,7 @@ The APIs we offer at the moment are:
 | ApiProductsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L575)  |[Overview](https://apidocs.apigee.com/docs/api-products/1/overview)|
 | DebugSessionsAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L844)  |[Overview](https://apidocs.apigee.com/docs/debug-sessions/1/overview)|
 | AccessTokensAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L983)  |[Overview](https://apidocs.apigee.com/docs/oauth-20-access-tokens/1/overview)|
+| AppKeysAPI  | [here](/src/pytest_nhsd_apim/apigee_apis.py#L1243)  |[Overview](https://apidocs.apigee.com/docs/developer-app-keys/1/overview)|
 
 For a more detailed implementation of the available APIs please refer to the tests [here](/tests/test_apigee_apis.py).
 We will keep adding APIs with time, if you are looking for a particular APIs not listed above please feel free to open a pull request and send it to us.

pytest_nhsd_apim-5.0.15.dist-info/RECORD

@@ -0,0 +1,16 @@
+pytest_nhsd_apim/__init__.py,sha256=CRwQfUDrbXIqvJX6OfTR4jGdhlU9kjGmBAptJasRg7E,72
+pytest_nhsd_apim/apigee_apis.py,sha256=u_sHjISj4XKgidVje1Uzq4LblMGnX4lrrrMWZM-SEF4,67289
+pytest_nhsd_apim/apigee_edge.py,sha256=9Vtad7LGyNAnRoSj9I-1T6mylgRlDF88ISanRAjpU5c,19076
+pytest_nhsd_apim/auth_journey.py,sha256=UovbLXhokUnikrMOaXIhjV8t5aRrcxinAbS96nfZWcY,5154
+pytest_nhsd_apim/config.py,sha256=ScKfV8iURqDXX2ajgGsRDcVn9RZy2DxLoEU2QQt9lmA,4246
+pytest_nhsd_apim/identity_service.py,sha256=1SYR8yY66XTygF6jr3dUD22lAMnz6IImMaDQtm5YwXg,19749
+pytest_nhsd_apim/log.py,sha256=8gYHqzlQM546FB2XvFmLTk1YfZRNeNhIwLmOy0GScr8,2685
+pytest_nhsd_apim/nhsd_apim_authorization.py,sha256=GR8GfbIZyqBC4jsSZMYNifDH52E3VWoIa7lrpuvIbaM,3513
+pytest_nhsd_apim/pytest_nhsd_apim.py,sha256=ZCItUqcM23CCmcRyGU8bEwI3vJnNcGdoOlbSfvYILR8,5242
+pytest_nhsd_apim/secrets.py,sha256=yIYwOZwpliIomtqSJGIYRbAE2HYvLvQU4W2kOa9TnXo,2354
+pytest_nhsd_apim/token_cache.py,sha256=u22VEoHxGkpOzPjsCOHFSW-5aM5zlj2uejwV5mB5Lbo,4140
+pytest_nhsd_apim-5.0.15.dist-info/METADATA,sha256=VnNWHfWkNLapZA3g4RZWmxocZ82v3buj4MRY0nYaB_4,4990
+pytest_nhsd_apim-5.0.15.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+pytest_nhsd_apim-5.0.15.dist-info/entry_points.txt,sha256=XWicT3meTpqLXnZcXNoAd2IfXspFPlNgMgLBMy4nqwQ,57
+pytest_nhsd_apim-5.0.15.dist-info/top_level.txt,sha256=ZK5GZP-g_K8gNfm4a58T9JCRb0i1X267ngvNelCGgfQ,17
+pytest_nhsd_apim-5.0.15.dist-info/RECORD,,

{pytest_nhsd_apim-3.3.6.dist-info → pytest_nhsd_apim-5.0.15.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.38.4)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

pytest_nhsd_apim-3.3.6.dist-info/RECORD

@@ -1,16 +0,0 @@
-pytest_nhsd_apim/__init__.py,sha256=CRwQfUDrbXIqvJX6OfTR4jGdhlU9kjGmBAptJasRg7E,72
-pytest_nhsd_apim/apigee_apis.py,sha256=b1Ay1MBCdlcy3-QoQhfeFwnGkY2bmYAXJhEzCO1ZK54,57430
-pytest_nhsd_apim/apigee_edge.py,sha256=a7hXBgm4hmUyyzrxJkWapsbWVBVGQAB1r9Mdnyw9-GU,18675
-pytest_nhsd_apim/auth_journey.py,sha256=UovbLXhokUnikrMOaXIhjV8t5aRrcxinAbS96nfZWcY,5154
-pytest_nhsd_apim/config.py,sha256=ScKfV8iURqDXX2ajgGsRDcVn9RZy2DxLoEU2QQt9lmA,4246
-pytest_nhsd_apim/identity_service.py,sha256=tFpu20oiOVj2Nb78mGKfwDchbc-mUX6x0DLgUozy190,20102
-pytest_nhsd_apim/log.py,sha256=8gYHqzlQM546FB2XvFmLTk1YfZRNeNhIwLmOy0GScr8,2685
-pytest_nhsd_apim/nhsd_apim_authorization.py,sha256=TE_6YnoM7kpRReiZP6-Z52rRs9bUuax1mpXqkbzg8zQ,3505
-pytest_nhsd_apim/pytest_nhsd_apim.py,sha256=_snJGTUVsHA70FGrKNNXjx9yNc_UjO1Ffhw0SLQtYUs,5214
-pytest_nhsd_apim/secrets.py,sha256=ZoTMRQGElAq4NNOx6FelINKo_YVNBWdgDY8x3bs_Zr0,2272
-pytest_nhsd_apim/token_cache.py,sha256=6L08taTlSyRsx2NCb0LSGsHdWx_wmqwlFtcF7pZMhUg,3540
-pytest_nhsd_apim-3.3.6.dist-info/METADATA,sha256=mKf7s7BQ4TuHv-imklQwzzYNuA7TqCdJ4Lu2QzoZmgw,4526
-pytest_nhsd_apim-3.3.6.dist-info/WHEEL,sha256=2wepM1nk4DS4eFpYrW1TTqPcoGNfHhhO_i5m4cOimbo,92
-pytest_nhsd_apim-3.3.6.dist-info/entry_points.txt,sha256=XWicT3meTpqLXnZcXNoAd2IfXspFPlNgMgLBMy4nqwQ,57
-pytest_nhsd_apim-3.3.6.dist-info/top_level.txt,sha256=ZK5GZP-g_K8gNfm4a58T9JCRb0i1X267ngvNelCGgfQ,17
-pytest_nhsd_apim-3.3.6.dist-info/RECORD,,