bearer

Author: Namitha-Prabhu

infrastructure/terraform/components/api/README.md

@@ -12,6 +12,8 @@ No requirements.
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_ca_pem_filename"></a> [ca\_pem\_filename](#input\_ca\_pem\_filename) | Filename for the CA truststore file within the s3 bucket | `string` | `null` | no |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
+| <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
+| <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
@@ -34,26 +36,26 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
+| <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_domain_truststore"></a> [domain\_truststore](#module\_domain\_truststore) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
 | <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-eventpub.zip | n/a |
 | <a name="module_eventsub"></a> [eventsub](#module\_eventsub) | ../../modules/eventsub | n/a |
-| <a name="module_get_letter"></a> [get\_letter](#module\_get\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
-| <a name="module_get_letter_data"></a> [get\_letter\_data](#module\_get\_letter\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
-| <a name="module_get_letters"></a> [get\_letters](#module\_get\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
-| <a name="module_get_status"></a> [get\_status](#module\_get\_status) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
+| <a name="module_get_letter"></a> [get\_letter](#module\_get\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_get_letter_data"></a> [get\_letter\_data](#module\_get\_letter\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_get_letters"></a> [get\_letters](#module\_get\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_get_status"></a> [get\_status](#module\_get\_status) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-kms.zip | n/a |
-| <a name="module_letter_status_update"></a> [letter\_status\_update](#module\_letter\_status\_update) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
+| <a name="module_letter_status_update"></a> [letter\_status\_update](#module\_letter\_status\_update) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_letter_status_updates_queue"></a> [letter\_status\_updates\_queue](#module\_letter\_status\_updates\_queue) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
-| <a name="module_letter_updates_transformer"></a> [letter\_updates\_transformer](#module\_letter\_updates\_transformer) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
+| <a name="module_letter_updates_transformer"></a> [letter\_updates\_transformer](#module\_letter\_updates\_transformer) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_logging_bucket"></a> [logging\_bucket](#module\_logging\_bucket) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
-| <a name="module_patch_letter"></a> [patch\_letter](#module\_patch\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
-| <a name="module_post_letters"></a> [post\_letters](#module\_post\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
-| <a name="module_post_mi"></a> [post\_mi](#module\_post\_mi) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
+| <a name="module_patch_letter"></a> [patch\_letter](#module\_patch\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_post_letters"></a> [post\_letters](#module\_post\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
+| <a name="module_post_mi"></a> [post\_mi](#module\_post\_mi) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_test_letters"></a> [s3bucket\_test\_letters](#module\_s3bucket\_test\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_letter_updates"></a> [sqs\_letter\_updates](#module\_sqs\_letter\_updates) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-sqs.zip | n/a |
 | <a name="module_supplier_ssl"></a> [supplier\_ssl](#module\_supplier\_ssl) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-ssl.zip | n/a |
-| <a name="module_upsert_letter"></a> [upsert\_letter](#module\_upsert\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
+| <a name="module_upsert_letter"></a> [upsert\_letter](#module\_upsert\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 ## Outputs
 
 | Name | Description |

tests/e2e-tests/api/test-get-letter-status.py

@@ -1,7 +1,7 @@
 import requests
 import pytest
 from lib.fixtures import *  # NOSONAR
-from lib.constants import DEFAULT_CONTENT_TYPE, VALID_ENDPOINTS
+from lib.constants import LETTERS_ENDPOINT
 
 @pytest.mark.test
 @pytest.mark.devtest
@@ -10,9 +10,7 @@
 def test_406(url, bearer_token):
 
     headers = Generators.generate_valid_headers(bearer_token)
-    data = Generators.generate_valid_create_message_body(url)
 
     get_message_response = requests.get(f"{url}/letters/status", headers=headers)
 
-
     assert get_message_response.status_code == 200

tests/e2e-tests/lib/authentication.py

@@ -0,0 +1,136 @@
+import uuid
+from time import time, sleep
+import os
+import jwt
+import requests
+import json
+from .secret import Secret
+
+
+class AuthenticationCache():
+    def __init__(self):
+        self.tokens = {}
+
+        # Number of consecutive authentication tests before considering it worked.
+        # This is required because apigee might be using load balancing.
+        self.consecutive_tests = 4
+
+        # Number of seconds before trying a test again
+        self.time_between_tests = 10
+
+        # Number of attempts before giving up. It can take up to 5 minutes for the
+        # addition of a product to an application to take effect.
+        # time_between_tests * max_tests = 300 seconds = 5 minutes.
+        self.max_tests = 30
+
+        # How long the token will stay valid
+        self.token_validity = 180
+
+    def generate_authentication(self, env, base_url):
+
+        # For the test_url, note that we don't need a message_id that actually exists in
+        # the backend. The test will only check that the API doesn't return a 401,
+        # a 404 response means the authentication is working.
+        test_url = f"{base_url}/v1/messages/message_id"
+
+        if env in ["internal-dev", "ref"]:
+            api_key = os.environ["NON_PROD_API_KEY"]
+            private_key = os.environ["NON_PROD_PRIVATE_KEY"]
+            url = "https://internal-dev.api.service.nhs.uk/oauth2/token"
+            kid = "local"
+        elif env == "int":
+            api_key = os.environ.get("INTEGRATION_API_KEY")
+            private_key = os.environ.get("INTEGRATION_PRIVATE_KEY")
+            url = "https://int.api.service.nhs.uk/oauth2/token"
+            kid = "local"
+        elif env == "prod":
+            api_key = os.environ.get("PRODUCTION_API_KEY")
+            private_key = os.environ.get("PRODUCTION_PRIVATE_KEY")
+            url = "https://api.service.nhs.uk/oauth2/token"
+            kid = "prod-1"
+        else:
+            raise ValueError("Unknown value: ", env)
+
+        _, latest_token_expiry = self.tokens.get(env, (None, 0))
+
+        # Generate new token if latest token will expire in 15 seconds
+        if env not in self.tokens or latest_token_expiry < int(time()) + 15:
+            self.tokens[env] = self.generate_and_test_new_token(api_key, private_key, url, kid, test_url)
+
+        bearer_token = self.tokens[env][0]
+        return Secret(bearer_token)
+
+    def generate_and_test_new_token(self, api_key, private_key, url, kid, test_url):
+        new_token = None
+        valid_auth = False
+
+        for i in range(self.max_tests):
+            print(f"Testing new token, attemp #{i+1}")
+            if new_token is None:
+                new_token = self.generate_new_token(api_key, private_key, url, kid)
+                time_since_new_token = int(time())
+
+            if self.test_token(test_url, new_token[0]):
+                valid_auth = True
+                break
+
+            # The test failed, give apigee some time to update its cache.
+            sleep(self.time_between_tests)
+
+            if int(time()) - time_since_new_token > (self.token_validity / 2):
+                # Token about to expire, generate a new one
+                new_token = None
+
+        if valid_auth:
+            print("Token generated successfully")
+            return new_token
+
+        print("Could not generate token")
+        raise RuntimeError("Could not generate token")
+
+    def generate_new_token(self, api_key, private_key, url, kid):
+        pk_pem = None
+        with open(private_key, "r") as f:
+            pk_pem = f.read()
+
+        token_expiry = int(time()) + self.token_validity
+
+        claims = {
+            "sub": api_key,
+            "iss": api_key,
+            "jti": str(uuid.uuid4()),
+            "aud": url,
+            "exp": token_expiry,
+        }
+        additional_headers = {"kid": kid}
+
+        j = jwt.encode(
+            claims, pk_pem, algorithm="RS512", headers=additional_headers
+        )
+
+        resp = requests.post(url, headers={
+            "Content-Type": "application/x-www-form-urlencoded"
+        }, data={
+            "grant_type": "client_credentials",
+            "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            "client_assertion": j
+        }
+        )
+        details = json.loads(resp.content)
+
+        return (f"Bearer {details.get('access_token')}", token_expiry)
+
+    def test_token(self, test_url, token):
+        for _ in range(self.consecutive_tests):
+            resp = requests.get(
+                test_url,
+                headers={
+                    "Authorization": token,
+                    "Accept": "*/*",
+                    "Content-Type": "application/json"
+                },
+            )
+            if resp.status_code == 401:
+                return False
+
+        return True

tests/e2e-tests/lib/constants.py

@@ -1,3 +1,5 @@
 VALID_ENDPOINTS = ["/letters"]
 METHODS = ["get", "post"]
 DEFAULT_CONTENT_TYPE = "application/vnd.api+json"
+LETTERS_ENDPOINT = "/letters"
+MI_ENDPOINT = "mi"