PRMDR-558: Multiple GP admin role codes (#217)

lambdas/services/login_service.py

@@ -157,8 +157,8 @@ def generate_repository_role(self, organisation: dict, smartcard_role: str):
         logger.info(f"Smartcard Role: {smartcard_role}")
 
         if (
-            self.token_handler_ssm_service.get_smartcard_role_gp_admin()
-            == smartcard_role
+            smartcard_role
+            in self.token_handler_ssm_service.get_smartcard_role_gp_admin()
         ):
             logger.info("GP Admin: smartcard ODS identified")
             if self.has_role_org_role_code(

lambdas/services/token_handler_ssm_service.py

@@ -1,9 +1,15 @@
-import logging
-
 from services.base.ssm_service import SSMService
+from utils.audit_logging_setup import LoggingService
+from utils.constants.ssm import (
+    GP_ADMIN_USER_ROLE_CODES,
+    GP_CLINICAL_USER_ROLE_CODE,
+    GP_ORG_ROLE_CODE,
+    PCSE_ODS_CODE,
+    PCSE_USER_ROLE_CODE,
+)
+from utils.lambda_exceptions import LoginException
 
-logger = logging.getLogger()
-logger.setLevel(logging.INFO)
+logger = LoggingService(__name__)
 
 
 class TokenHandlerSSMService(SSMService):
@@ -14,68 +20,116 @@ def get_smartcard_role_codes(self) -> list[str]:
         logger.info("starting ssm request to retrieve required smartcard role codes")
         params = self.get_ssm_parameters(
             [
-                "/auth/smartcard/role/gp_admin",
-                "/auth/smartcard/role/gp_clinical",
-                "/auth/smartcard/role/pcse",
+                GP_ADMIN_USER_ROLE_CODES,
+                GP_CLINICAL_USER_ROLE_CODE,
+                PCSE_USER_ROLE_CODE,
             ]
         )
 
         response = [
-            params["/auth/smartcard/role/gp_admin"],
-            params["/auth/smartcard/role/gp_clinical"],
-            params["/auth/smartcard/role/pcse"],
+            params.get(GP_ADMIN_USER_ROLE_CODES),
+            params.get(GP_CLINICAL_USER_ROLE_CODE),
+            params.get(PCSE_USER_ROLE_CODE),
         ]
 
+        if None in response:
+            logger.error(
+                "SSM parameter values for GP admin/clinical or PSCE roles may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "Failed to find SSM parameter value for user role"
+            )
+
         return response
 
-    def get_smartcard_role_gp_admin(self) -> str:
+    def get_smartcard_role_gp_admin(self) -> list[str]:
         logger.info(
             "starting ssm request to retrieve required smartcard role code gp admin"
         )
-        params = self.get_ssm_parameters(["/auth/smartcard/role/gp_admin"])
-
-        response = params["/auth/smartcard/role/gp_admin"]
+        params = self.get_ssm_parameters([GP_ADMIN_USER_ROLE_CODES])
+        values = params.get(GP_ADMIN_USER_ROLE_CODES)
+
+        if values is None:
+            logger.error(
+                "SSM parameter values for GP admin role may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "Failed to find SSM parameter value for user role"
+            )
+
+        response = values.split(",")
         return response
 
     def get_smartcard_role_gp_clinical(self) -> str:
         logger.info(
             "starting ssm request to retrieve required smartcard role code gp clinical"
         )
-        params = self.get_ssm_parameters(["/auth/smartcard/role/gp_clinical"])
+        params = self.get_ssm_parameters([GP_CLINICAL_USER_ROLE_CODE])
+
+        response = params.get(GP_CLINICAL_USER_ROLE_CODE)
+        if response is None:
+            logger.error(
+                "SSM parameter values for GP clinical user role may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "Failed to find SSM parameter value for user role"
+            )
 
-        logger.info(f"Params: {params}")
-        response = params["/auth/smartcard/role/gp_clinical"]
         return response
 
     def get_smartcard_role_pcse(self) -> str:
         logger.info(
             "starting ssm request to retrieve required smartcard role code pcse"
         )
-        params = self.get_ssm_parameters(["/auth/smartcard/role/pcse"])
-
-        response = params["/auth/smartcard/role/pcse"]
+        params = self.get_ssm_parameters([PCSE_USER_ROLE_CODE])
+        response = params.get(PCSE_USER_ROLE_CODE)
+        if response is None:
+            logger.error(
+                "SSM parameter values for PCSE user role may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "Failed to find SSM parameter value for user role"
+            )
         return response
 
     def get_org_role_codes(self) -> list[str]:
         logger.info("starting ssm request to retrieve required org roles codes")
         params = self.get_ssm_parameters(
             [
-                "/auth/org/role_code/gpp",
+                GP_ORG_ROLE_CODE,
             ]
         )
-
-        response = [params["/auth/org/role_code/gpp"]]
+        response = [params.get(GP_ORG_ROLE_CODE)]
+        if None in response:
+            logger.error(
+                "SSM parameter values for GP organisation role code may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "Failed to find SSM parameter value for GP org role"
+            )
         return response
 
     def get_org_ods_codes(self) -> list[str]:
         logger.info("starting ssm request to retrieve required org ods codes")
         params = self.get_ssm_parameters(
             [
-                "/auth/org/ods_code/pcse",
+                PCSE_ODS_CODE,
             ]
         )
-
-        response = [params["/auth/org/ods_code/pcse"]]
+        response = [params.get(PCSE_ODS_CODE)]
+        if None in response:
+            logger.error(
+                "SSM parameter values for PSCE ODS code may not exist",
+                {"Result": "Unsuccessful login"},
+            )
+            raise LoginException(
+                500, "SSM parameter values for PSCE ODS code may not exist"
+            )
         return response
 
     def get_jwt_private_key(self) -> list[str]:

lambdas/tests/unit/services/test_login_service.py

@@ -264,7 +264,7 @@ def test_generate_repository_role_gp_admin(mock_logging_service, set_env, mocker
     mocker.patch.object(
         TokenHandlerSSMService,
         "get_smartcard_role_gp_admin",
-        return_value=user_role_code,
+        return_value=[user_role_code],
     )
     mocker.patch.object(
         TokenHandlerSSMService, "get_org_role_codes", return_value=[org_role_code]
@@ -286,7 +286,7 @@ def test_generate_repository_role_gp_clinical(mock_logging_service, set_env, moc
     mocker.patch.object(
         TokenHandlerSSMService,
         "get_smartcard_role_gp_admin",
-        return_value="wrong_role_code",
+        return_value=["wrong_role_code"],
     )
     mocker.patch.object(
         TokenHandlerSSMService,
@@ -313,7 +313,7 @@ def test_generate_repository_role_pcse(mock_logging_service, set_env, mocker):
     mocker.patch.object(
         TokenHandlerSSMService,
         "get_smartcard_role_gp_admin",
-        return_value="wrong_role_code",
+        return_value=["wrong_role_code"],
     )
     mocker.patch.object(
         TokenHandlerSSMService,
@@ -341,7 +341,7 @@ def test_generate_repository_role_no_role(mock_logging_service, set_env, mocker)
     mocker.patch.object(
         TokenHandlerSSMService,
         "get_smartcard_role_gp_admin",
-        return_value="wrong_role_code",
+        return_value=["wrong_role_code"],
     )
     mocker.patch.object(
         TokenHandlerSSMService,