Remove unused HMPPS Auth code

cypress.config.ts

@@ -1,7 +1,8 @@
 import { defineConfig } from 'cypress'
 import { resetStubs } from './integration_tests/mockApis/wiremock'
+import hmppsAuth from './integration_tests/mockApis/hmppsAuth'
 import govukOneLogin from './integration_tests/mockApis/govukOneLogin'
-import tokenVerification from './integration_tests/mockApis/tokenVerification'
+import orchestrationService from './integration_tests/mockApis/orchestration'
 
 export default defineConfig({
   chromeWebSecurity: false,
@@ -17,8 +18,10 @@ export default defineConfig({
     setupNodeEvents(on) {
       on('task', {
         reset: resetStubs,
+        ...hmppsAuth,
         ...govukOneLogin,
-        ...tokenVerification,
+
+        ...orchestrationService,
 
         // Log message to console
         log: (message: string) => {

docker-compose.yml

@@ -33,11 +33,8 @@ services:
       - "3000:3000"
     environment:
       - REDIS_HOST=redis-public-ui
-      - HMPPS_AUTH_EXTERNAL_URL=http://localhost:9090/auth
       - HMPPS_AUTH_URL=http://hmpps-auth:8080/auth
       # These will need to match new creds in the seed auth service auth
-      - API_CLIENT_ID=client-id
-      - API_CLIENT_SECRET=client-secret
       - SYSTEM_CLIENT_ID=system-client-id
       - SYSTEM_CLIENT_SECRET=system-client-secret
 

feature.env

@@ -1,10 +1,8 @@
 PORT=3007
 INGRESS_URL=http://localhost:3007
 HMPPS_AUTH_URL=http://localhost:9091/auth
-TOKEN_VERIFICATION_API_URL=http://localhost:9091/verification
-TOKEN_VERIFICATION_ENABLED=true
 NODE_ENV=development
-API_CLIENT_ID=clientid
-API_CLIENT_SECRET=clientsecret
 SYSTEM_CLIENT_ID=clientid
 SYSTEM_CLIENT_SECRET=clientsecret
+
+ORCHESTRATION_API_URL=http://localhost:9091/orchestration

helm_deploy/hmpps-book-a-prison-visit-ui/values.yaml

@@ -35,7 +35,6 @@ generic-service:
   env:
     NODE_ENV: "production"
     REDIS_TLS_ENABLED: "true"
-    TOKEN_VERIFICATION_ENABLED: "true"
     APPLICATIONINSIGHTS_CONNECTION_STRING: "InstrumentationKey=$(APPINSIGHTS_INSTRUMENTATIONKEY);IngestionEndpoint=https://northeurope-0.in.applicationinsights.azure.com/;LiveEndpoint=https://northeurope.livediagnostics.monitor.azure.com/"
 
   # Pre-existing kubernetes secrets to load as environment variables in the deployment.
@@ -46,8 +45,6 @@ generic-service:
   namespace_secrets:
     hmpps-book-a-prison-visit-ui:
       APPINSIGHTS_INSTRUMENTATIONKEY: "APPINSIGHTS_INSTRUMENTATIONKEY"
-      API_CLIENT_ID: "API_CLIENT_ID"
-      API_CLIENT_SECRET: "API_CLIENT_SECRET"
       SYSTEM_CLIENT_ID: "SYSTEM_CLIENT_ID"
       SYSTEM_CLIENT_SECRET: "SYSTEM_CLIENT_SECRET"
       SESSION_SECRET: "SESSION_SECRET"

helm_deploy/values-dev.yaml

@@ -10,7 +10,6 @@ generic-service:
   env:
     INGRESS_URL: "https://visit-dev.prison.service.justice.gov.uk"
     HMPPS_AUTH_URL: "https://sign-in-dev.hmpps.service.justice.gov.uk/auth"
-    TOKEN_VERIFICATION_API_URL: "https://token-verification-api-dev.prison.service.justice.gov.uk"
     GOVUK_ONE_LOGIN_URL: "https://oidc.integration.account.gov.uk"
     ORCHESTRATION_API_URL: "https://hmpps-manage-prison-visits-orchestration-dev.prison.service.justice.gov.uk"
 

helm_deploy/values-preprod.yaml

@@ -10,7 +10,6 @@ generic-service:
   env:
     INGRESS_URL: "https://visit-preprod.prison.service.justice.gov.uk"
     HMPPS_AUTH_URL: "https://sign-in-preprod.hmpps.service.justice.gov.uk/auth"
-    TOKEN_VERIFICATION_API_URL: "https://token-verification-api-preprod.prison.service.justice.gov.uk"
 
 generic-prometheus-alerts:
   alertSeverity: digital-prison-service-dev

helm_deploy/values-prod.yaml

@@ -8,7 +8,6 @@ generic-service:
   env:
     INGRESS_URL: "https://visit.prison.service.justice.gov.uk"
     HMPPS_AUTH_URL: "https://sign-in.hmpps.service.justice.gov.uk/auth"
-    TOKEN_VERIFICATION_API_URL: "https://token-verification-api.prison.service.justice.gov.uk"
 
 generic-prometheus-alerts:
   alertSeverity: digital-prison-service

helm_deploy/values-staging.yaml

@@ -10,7 +10,6 @@ generic-service:
   env:
     INGRESS_URL: "https://visit-staging.prison.service.justice.gov.uk"
     HMPPS_AUTH_URL: "https://sign-in-dev.hmpps.service.justice.gov.uk/auth"
-    TOKEN_VERIFICATION_API_URL: "https://token-verification-api-dev.prison.service.justice.gov.uk"
 
 generic-prometheus-alerts:
   alertSeverity: digital-prison-service-dev

integration_tests/e2e/health.cy.ts

@@ -2,7 +2,7 @@ context('Healthcheck', () => {
   context('All healthy', () => {
     beforeEach(() => {
       cy.task('reset')
-      cy.task('stubTokenVerificationPing')
+      cy.task('stubOrchestrationPing')
     })
 
     it('Health check page is visible', () => {
@@ -19,12 +19,12 @@ context('Healthcheck', () => {
   })
 
   context('Some unhealthy', () => {
-    it('Reports correctly when token verification down', () => {
+    it('Reports correctly when orchestration down', () => {
       cy.task('reset')
-      cy.task('stubTokenVerificationPing', 500)
+      cy.task('stubOrchestrationPing', 500)
 
       cy.request({ url: '/health', method: 'GET', failOnStatusCode: false }).then(response => {
-        expect(response.body.checks.tokenVerification).to.contain({ status: 500, retries: 2 })
+        expect(response.body.checks.orchestration).to.contain({ status: 500, retries: 2 })
       })
     })
   })

integration_tests/e2e/orcestrationApiTest.cy.ts

@@ -0,0 +1,13 @@
+context('Test API call page', () => {
+  beforeEach(() => {
+    cy.task('reset')
+    cy.task('stubSignIn')
+    cy.signIn()
+  })
+
+  it('Test call to Orchestration service', () => {
+    cy.task('stubHmppsAuthToken')
+    cy.task('stubSupportedPrisonIds')
+    cy.visit('/prisons')
+  })
+})

integration_tests/mockApis/hmppsAuth.ts

@@ -0,0 +1,44 @@
+import jwt from 'jsonwebtoken'
+
+import { stubFor } from './wiremock'
+
+const createToken = () => {
+  const payload = {
+    sub: 'system_client_id',
+    grant_type: 'client_credentials',
+    scope: ['read', 'write'],
+    auth_source: 'none',
+    iss: 'http://localhost:9091/auth/auth/issuer',
+    authorities: ['ROLE_VISIT_SCHEDULER'],
+    jti: 'NBmv9IH_xw89YFE_tFoBwI1zo9Y',
+    client_id: 'system_client_id',
+  }
+  return jwt.sign(payload, 'secret', { expiresIn: '1h' })
+}
+
+const stubHmppsAuthToken = () =>
+  stubFor({
+    request: {
+      method: 'POST',
+      urlPattern: '/auth/oauth/token',
+    },
+    response: {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json;charset=UTF-8',
+        Location: 'http://localhost:3007/sign-in/callback?code=codexxxx&state=stateyyyy',
+      },
+      jsonBody: {
+        access_token: createToken(),
+        token_type: 'bearer',
+        expires_in: 599,
+        scope: 'read',
+        sub: 'system_client_id',
+        auth_source: 'none',
+        jti: 'NBmv9IH_xw89YFE_tFoBwI1zo9Y',
+        iss: 'http://localhost:9091/auth/auth/issuer',
+      },
+    },
+  })
+
+export default { stubHmppsAuthToken }

integration_tests/mockApis/tokenVerification.ts → integration_tests/mockApis/orchestration.ts

@@ -1,29 +1,31 @@
 import { SuperAgentRequest } from 'superagent'
 import { stubFor } from './wiremock'
+import TestData from '../../server/routes/testutils/testData'
 
 export default {
-  stubTokenVerificationPing: (status = 200): SuperAgentRequest =>
+  stubOrchestrationPing: (status = 200): SuperAgentRequest =>
     stubFor({
       request: {
         method: 'GET',
-        urlPattern: '/verification/health/ping',
+        urlPattern: '/orchestration/health/ping',
       },
       response: {
         status,
         headers: { 'Content-Type': 'application/json;charset=UTF-8' },
         jsonBody: { status: 'UP' },
       },
     }),
-  stubVerifyToken: (active = true): SuperAgentRequest =>
-    stubFor({
+  stubSupportedPrisonIds: (): SuperAgentRequest => {
+    return stubFor({
       request: {
-        method: 'POST',
-        urlPattern: '/verification/token/verify',
+        method: 'GET',
+        url: '/orchestration/config/prisons/supported',
       },
       response: {
         status: 200,
         headers: { 'Content-Type': 'application/json;charset=UTF-8' },
-        jsonBody: { active },
+        jsonBody: TestData.supportedPrisonIds(),
       },
-    }),
+    })
+  },
 }

server/authentication/clientCredentials.ts

@@ -1,9 +1,4 @@
-import config from '../config'
-
-export default function generateOauthClientToken(
-  clientId: string = config.apis.hmppsAuth.apiClientId,
-  clientSecret: string = config.apis.hmppsAuth.apiClientSecret,
-): string {
+export default function generateOauthClientToken(clientId: string, clientSecret: string): string {
   const token = Buffer.from(`${clientId}:${clientSecret}`).toString('base64')
   return `Basic ${token}`
 }

server/config.ts

@@ -49,14 +49,11 @@ export default {
   apis: {
     hmppsAuth: {
       url: get('HMPPS_AUTH_URL', 'http://localhost:9090/auth', requiredInProduction),
-      externalUrl: get('HMPPS_AUTH_EXTERNAL_URL', get('HMPPS_AUTH_URL', 'http://localhost:9090/auth')),
       timeout: {
         response: Number(get('HMPPS_AUTH_TIMEOUT_RESPONSE', 10000)),
         deadline: Number(get('HMPPS_AUTH_TIMEOUT_DEADLINE', 10000)),
       },
       agent: new AgentConfig(Number(get('HMPPS_AUTH_TIMEOUT_RESPONSE', 10000))),
-      apiClientId: get('API_CLIENT_ID', 'clientid', requiredInProduction),
-      apiClientSecret: get('API_CLIENT_SECRET', 'clientsecret', requiredInProduction),
       systemClientId: get('SYSTEM_CLIENT_ID', 'clientid', requiredInProduction),
       systemClientSecret: get('SYSTEM_CLIENT_SECRET', 'clientsecret', requiredInProduction),
     },
@@ -65,15 +62,6 @@ export default {
       clientId: get('GOVUK_ONE_LOGIN_CLIENT_ID', 'clientId', requiredInProduction),
       privateKey: get('GOVUK_ONE_LOGIN_PRIVATE_KEY', 'privateKey', requiredInProduction),
     },
-    tokenVerification: {
-      url: get('TOKEN_VERIFICATION_API_URL', 'http://localhost:8100', requiredInProduction),
-      timeout: {
-        response: Number(get('TOKEN_VERIFICATION_API_TIMEOUT_RESPONSE', 5000)),
-        deadline: Number(get('TOKEN_VERIFICATION_API_TIMEOUT_DEADLINE', 5000)),
-      },
-      agent: new AgentConfig(Number(get('TOKEN_VERIFICATION_API_TIMEOUT_RESPONSE', 5000))),
-      enabled: get('TOKEN_VERIFICATION_ENABLED', 'false') === 'true',
-    },
     orchestration: {
       url: get('ORCHESTRATION_API_URL', 'http://localhost:8080', requiredInProduction),
       timeout: {

server/data/hmppsAuthClient.test.ts

@@ -8,7 +8,6 @@ jest.mock('./tokenStore')
 
 const tokenStore = new TokenStore(null) as jest.Mocked<TokenStore>
 
-const username = 'Bob'
 const token = { access_token: 'token-1', expires_in: 300 }
 
 describe('hmppsAuthClient', () => {
@@ -25,60 +24,19 @@ describe('hmppsAuthClient', () => {
     nock.cleanAll()
   })
 
-  describe('getUser', () => {
-    it('should return data from api', async () => {
-      const response = { data: 'data' }
-
-      fakeHmppsAuthApi
-        .get('/api/user/me')
-        .matchHeader('authorization', `Bearer ${token.access_token}`)
-        .reply(200, response)
-
-      const output = await hmppsAuthClient.getUser(token.access_token)
-      expect(output).toEqual(response)
-    })
-  })
-
-  describe('getUserRoles', () => {
-    it('should return data from api', async () => {
-      fakeHmppsAuthApi
-        .get('/api/user/me/roles')
-        .matchHeader('authorization', `Bearer ${token.access_token}`)
-        .reply(200, [{ roleCode: 'role1' }, { roleCode: 'role2' }])
-
-      const output = await hmppsAuthClient.getUserRoles(token.access_token)
-      expect(output).toEqual(['role1', 'role2'])
-    })
-  })
-
   describe('getSystemClientToken', () => {
     it('should instantiate the redis client', async () => {
       tokenStore.getToken.mockResolvedValue(token.access_token)
-      await hmppsAuthClient.getSystemClientToken(username)
+      await hmppsAuthClient.getSystemClientToken()
     })
 
     it('should return token from redis if one exists', async () => {
       tokenStore.getToken.mockResolvedValue(token.access_token)
-      const output = await hmppsAuthClient.getSystemClientToken(username)
-      expect(output).toEqual(token.access_token)
-    })
-
-    it('should return token from HMPPS Auth with username', async () => {
-      tokenStore.getToken.mockResolvedValue(null)
-
-      fakeHmppsAuthApi
-        .post(`/oauth/token`, 'grant_type=client_credentials&username=Bob')
-        .basicAuth({ user: config.apis.hmppsAuth.systemClientId, pass: config.apis.hmppsAuth.systemClientSecret })
-        .matchHeader('Content-Type', 'application/x-www-form-urlencoded')
-        .reply(200, token)
-
-      const output = await hmppsAuthClient.getSystemClientToken(username)
-
+      const output = await hmppsAuthClient.getSystemClientToken()
       expect(output).toEqual(token.access_token)
-      expect(tokenStore.setToken).toBeCalledWith('Bob', token.access_token, 240)
     })
 
-    it('should return token from HMPPS Auth without username', async () => {
+    it('should return token from HMPPS Auth', async () => {
       tokenStore.getToken.mockResolvedValue(null)
 
       fakeHmppsAuthApi