Merge pull request #234 from NHSDigital/DTOSS-10207-use-consumer-for-cmapi

DTOSS-10207: use Consumer Key for CMAPI requests

Author: Harriethw

manage_breast_screening/config/.env.tpl

@@ -8,3 +8,4 @@ DATABASE_USER=manage
 DATABASE_SSLMODE=allow
 DATABASE_HOST=localhost
 LOG_QUERIES=0
+CMAPI_CONSUMER_KEY=some-consumer

manage_breast_screening/notifications/api_client.py

@@ -9,6 +9,9 @@
 
 EXPIRES_IN_MINUTES = 5
 
+AUTHORIZATION_HEADER_NAME = "authorization"
+CONSUMER_KEY_NAME = "x-consumer-key"
+
 
 class OAuthError(Exception):
     pass
@@ -51,7 +54,8 @@ def headers(self) -> dict:
             "content-type": "application/vnd.api+json",
             "accept": "application/vnd.api+json",
             "x-correlation-id": str(uuid.uuid4()),
-            "authorization": f"Bearer {self.bearer_token()}",
+            AUTHORIZATION_HEADER_NAME: f"Bearer {self.bearer_token()}",
+            CONSUMER_KEY_NAME: os.getenv("CMAPI_CONSUMER_KEY"),
         }
 
     def bearer_token(self) -> str:

manage_breast_screening/notifications/tests/dependencies/cmapi_stub/app.py

@@ -21,13 +21,20 @@ def token():
 
 @app.route("/message/batch", methods=["POST"])
 def message_batches():
-    json_data = request.json
+    valid_headers, headers_error_message = verify_headers_for_consumers(
+        dict(request.headers)
+    )
 
-    messages = populate_message_ids(json_data["data"]["attributes"]["messages"])
+    if not valid_headers:
+        return json.dumps({"status": "failed", "error": headers_error_message}), 400
+
+    json_data = request.json
 
     if not validate_with_schema(json_data):
         return json.dumps({"error": "Invalid body"}), 422
 
+    messages = populate_message_ids(json_data["data"]["attributes"]["messages"])
+
     return json.dumps(
         {
             "data": {
@@ -66,6 +73,20 @@ def validate_with_schema(data: dict):
         return False, str(e)
 
 
+def verify_headers_for_consumers(headers: dict) -> tuple[bool, str]:
+    lc_headers = header_keys_to_lower(headers)
+    if lc_headers.get("authorization") is None:
+        return False, "Missing Authorization header"
+    if lc_headers.get("x-consumer-key") is None:
+        return False, "Missing Consumer key header"
+
+    return True, ""
+
+
+def header_keys_to_lower(headers: dict) -> dict:
+    return {k.lower(): v for k, v in headers.items()}
+
+
 def populate_message_ids(messages: list[dict]) -> list[dict]:
     for message in messages:
         message["id"] = uid(27) if not message.get("id") else message["id"]

manage_breast_screening/notifications/tests/integration/test_api_client_can_call_cmapi.py

@@ -22,6 +22,7 @@ def setup(self, monkeypatch):
         monkeypatch.setenv("OAUTH_API_KEY", "a1b2c3d4")
         monkeypatch.setenv("OAUTH_API_KID", "test-1")
         monkeypatch.setenv("PRIVATE_KEY", "test-key")
+        monkeypatch.setenv("CMAPI_CONSUMER_KEY", "consumer-key")
 
     @pytest.fixture
     def routing_plan_id(self):

manage_breast_screening/notifications/tests/test_api_client.py

@@ -26,6 +26,7 @@ def setup(self, monkeypatch):
         monkeypatch.setenv("OAUTH_API_KEY", "a1b2c3d4")
         monkeypatch.setenv("OAUTH_API_KID", "test-1")
         monkeypatch.setenv("PRIVATE_KEY", "test-key")
+        monkeypatch.setenv("CMAPI_CONSUMER_KEY", "consumer-key")
 
     @pytest.mark.django_db
     def test_send_message_batch(self, mock_jwt_encode, routing_plan_id):
@@ -54,6 +55,7 @@ def test_send_message_batch(self, mock_jwt_encode, routing_plan_id):
             assert request.headers["Authorization"] == "Bearer 000111"
             assert request.headers["Content-Type"] == "application/vnd.api+json"
             assert request.headers["Accept"] == "application/vnd.api+json"
+            assert request.headers["X-Consumer-Key"] == "consumer-key"
 
             assert attributes["messageBatchReference"] == str(message_batch.id)
             assert attributes["routingPlanId"] == message_batch.routing_plan_id