From 618712df80f7217bd0e9b046c7b71ea15b51121d Mon Sep 17 00:00:00 2001 From: David Wass Date: Wed, 13 Aug 2025 13:42:57 +0000 Subject: [PATCH 1/2] Level 3 auth proxy --- .tool-versions | 1 + specification/api/components/x-nhsd-apim/access-dev.yml | 1 - specification/api/components/x-nhsd-apim/target-dev.yml | 2 +- specification/api/notify-supplier-phase1.yml | 8 +++----- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.tool-versions b/.tool-versions index d847774c..8fd35386 100644 --- a/.tool-versions +++ b/.tool-versions @@ -8,6 +8,7 @@ terraform 1.10.1 terraform-docs 0.19.0 trivy 0.61.0 vale 3.6.0 +poetry 2.1.4 # ============================================================================== # The section below is reserved for Docker image versions. diff --git a/specification/api/components/x-nhsd-apim/access-dev.yml b/specification/api/components/x-nhsd-apim/access-dev.yml index e7268b38..de21d5dc 100644 --- a/specification/api/components/x-nhsd-apim/access-dev.yml +++ b/specification/api/components/x-nhsd-apim/access-dev.yml @@ -1,4 +1,3 @@ - title: Application Restricted grants: - app-level0: [] app-level3: [] diff --git a/specification/api/components/x-nhsd-apim/target-dev.yml b/specification/api/components/x-nhsd-apim/target-dev.yml index 1bdddb04..c779aa5d 100644 --- a/specification/api/components/x-nhsd-apim/target-dev.yml +++ b/specification/api/components/x-nhsd-apim/target-dev.yml @@ -3,5 +3,5 @@ healthcheck: /_status url: https://suppliers.dev.nhsnotify.national.nhs.uk security: type: apikey - header: nhsd-apim-apikey + header: Authorization secret: nhs-notify-supplier-key diff --git a/specification/api/notify-supplier-phase1.yml b/specification/api/notify-supplier-phase1.yml index 620b2849..226cb452 100644 --- a/specification/api/notify-supplier-phase1.yml +++ b/specification/api/notify-supplier-phase1.yml @@ -8,7 +8,7 @@ info: This specification represents the in-development 'next' version of the API schema and should be treated as unstable. security: - - app-level0: [ ] + - app-level3: [ ] paths: /letters: parameters: @@ -55,10 +55,8 @@ paths: $ref: 'components/endpoints/headDataId.yml' components: securitySchemes: - nhs-login-p0: - $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-login-p0 - app-level0: - $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0 + app-level3: + $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3 tags: - name: letter description: '' From 3541d82d16e905e6f802033688bf80c50653624e Mon Sep 17 00:00:00 2001 From: David Wass Date: Mon, 18 Aug 2025 13:30:10 +0000 Subject: [PATCH 2/2] Level0 for PRs --- .github/actions/build-proxies/action.yml | 7 ++++++- Makefile | 7 +++++++ specification/api/components/security/security-dev-pr.yml | 1 + specification/api/components/security/security-dev.yml | 1 + specification/api/components/security/security-sandbox.yml | 1 + .../api/components/security/security-template.yml | 1 + specification/api/components/security/security.yml | 1 + specification/api/components/x-nhsd-apim/access-dev-pr.yml | 3 +++ specification/api/components/x-nhsd-apim/access.yml | 2 +- specification/api/components/x-nhsd-apim/target-dev-pr.yml | 7 +++++++ specification/api/components/x-nhsd-apim/target-dev.yml | 2 +- specification/api/components/x-nhsd-apim/target.yml | 2 +- specification/api/notify-supplier-phase1.yml | 5 ++++- 13 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 specification/api/components/security/security-dev-pr.yml create mode 100644 specification/api/components/security/security-dev.yml create mode 100644 specification/api/components/security/security-sandbox.yml create mode 100644 specification/api/components/security/security-template.yml create mode 100644 specification/api/components/security/security.yml create mode 100644 specification/api/components/x-nhsd-apim/access-dev-pr.yml create mode 100644 specification/api/components/x-nhsd-apim/target-dev-pr.yml diff --git a/.github/actions/build-proxies/action.yml b/.github/actions/build-proxies/action.yml index a2d352ae..255ce74f 100644 --- a/.github/actions/build-proxies/action.yml +++ b/.github/actions/build-proxies/action.yml @@ -54,7 +54,12 @@ runs: working-directory: . shell: bash run: | - make build-json-oas-spec APIM_ENV=dev + if [ -z $PR_NUMBER ] + then + make build-json-oas-spec APIM_ENV=dev + else + make build-json-oas-spec APIM_ENV=dev-pr + fi - name: Set target shell: bash diff --git a/Makefile b/Makefile index 69922f07..1efc73f5 100644 --- a/Makefile +++ b/Makefile @@ -53,9 +53,16 @@ set-access: guard-APIM_ENV envsubst '$${ACCESS}' \ < specification/api/components/x-nhsd-apim/access-template.yml > specification/api/components/x-nhsd-apim/access.yml +set-security: guard-APIM_ENV + @ SECURITY=security-$$APIM_ENV.yml \ + envsubst '$${SECURITY}' \ + < specification/api/components/security/security-template.yml > specification/api/components/security/security.yml + construct-spec: guard-APIM_ENV $(MAKE) set-target APIM_ENV=$$APIM_ENV $(MAKE) set-access APIM_ENV=$$APIM_ENV + $(MAKE) set-security APIM_ENV=$$APIM_ENV + build-json-oas-spec: guard-APIM_ENV diff --git a/specification/api/components/security/security-dev-pr.yml b/specification/api/components/security/security-dev-pr.yml new file mode 100644 index 00000000..8a4ddb31 --- /dev/null +++ b/specification/api/components/security/security-dev-pr.yml @@ -0,0 +1 @@ +app-level0: [] diff --git a/specification/api/components/security/security-dev.yml b/specification/api/components/security/security-dev.yml new file mode 100644 index 00000000..878d7f27 --- /dev/null +++ b/specification/api/components/security/security-dev.yml @@ -0,0 +1 @@ +app-level3: [ ] diff --git a/specification/api/components/security/security-sandbox.yml b/specification/api/components/security/security-sandbox.yml new file mode 100644 index 00000000..8a4ddb31 --- /dev/null +++ b/specification/api/components/security/security-sandbox.yml @@ -0,0 +1 @@ +app-level0: [] diff --git a/specification/api/components/security/security-template.yml b/specification/api/components/security/security-template.yml new file mode 100644 index 00000000..ffd1d328 --- /dev/null +++ b/specification/api/components/security/security-template.yml @@ -0,0 +1 @@ +$ref: $SECURITY diff --git a/specification/api/components/security/security.yml b/specification/api/components/security/security.yml new file mode 100644 index 00000000..fcb0445a --- /dev/null +++ b/specification/api/components/security/security.yml @@ -0,0 +1 @@ +$ref: security-dev-pr.yml diff --git a/specification/api/components/x-nhsd-apim/access-dev-pr.yml b/specification/api/components/x-nhsd-apim/access-dev-pr.yml new file mode 100644 index 00000000..a74f73d2 --- /dev/null +++ b/specification/api/components/x-nhsd-apim/access-dev-pr.yml @@ -0,0 +1,3 @@ +- title: Application Restricted + grants: + app-level0: [] diff --git a/specification/api/components/x-nhsd-apim/access.yml b/specification/api/components/x-nhsd-apim/access.yml index 95f5f0b9..3575e12d 100644 --- a/specification/api/components/x-nhsd-apim/access.yml +++ b/specification/api/components/x-nhsd-apim/access.yml @@ -1 +1 @@ -$ref: access-sandbox.yml +$ref: access-dev-pr.yml diff --git a/specification/api/components/x-nhsd-apim/target-dev-pr.yml b/specification/api/components/x-nhsd-apim/target-dev-pr.yml new file mode 100644 index 00000000..c779aa5d --- /dev/null +++ b/specification/api/components/x-nhsd-apim/target-dev-pr.yml @@ -0,0 +1,7 @@ +type: external +healthcheck: /_status +url: https://suppliers.dev.nhsnotify.national.nhs.uk +security: + type: apikey + header: Authorization + secret: nhs-notify-supplier-key diff --git a/specification/api/components/x-nhsd-apim/target-dev.yml b/specification/api/components/x-nhsd-apim/target-dev.yml index c779aa5d..1bdddb04 100644 --- a/specification/api/components/x-nhsd-apim/target-dev.yml +++ b/specification/api/components/x-nhsd-apim/target-dev.yml @@ -3,5 +3,5 @@ healthcheck: /_status url: https://suppliers.dev.nhsnotify.national.nhs.uk security: type: apikey - header: Authorization + header: nhsd-apim-apikey secret: nhs-notify-supplier-key diff --git a/specification/api/components/x-nhsd-apim/target.yml b/specification/api/components/x-nhsd-apim/target.yml index b24b21da..db3f3af0 100644 --- a/specification/api/components/x-nhsd-apim/target.yml +++ b/specification/api/components/x-nhsd-apim/target.yml @@ -1 +1 @@ -$ref: target-sandbox.yml +$ref: target-dev-pr.yml diff --git a/specification/api/notify-supplier-phase1.yml b/specification/api/notify-supplier-phase1.yml index 226cb452..374c784c 100644 --- a/specification/api/notify-supplier-phase1.yml +++ b/specification/api/notify-supplier-phase1.yml @@ -8,7 +8,7 @@ info: This specification represents the in-development 'next' version of the API schema and should be treated as unstable. security: - - app-level3: [ ] + - $ref: 'components/security/security.yml' paths: /letters: parameters: @@ -57,6 +57,9 @@ components: securitySchemes: app-level3: $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3 + app-level0: + $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0 + tags: - name: letter description: ''