[CDAPI-85]: Initial introduction of APIM Authenticator class

Initial Introduction of the ApimAuthenticator class, handling authentication with the API Management platform utilising Signed JWT application restricted access.
This commit also includes the creation of a `SessionManager` class handling the creation of a `request.Session` object with appropriate default configuration.

Author: nhsd-jack-wainwright

.github/workflows/preview-env.yaml

@@ -43,6 +43,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0 # Full history required for accurate sonar analysis.
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
@@ -137,6 +139,8 @@ jobs:
           APIM_APIKEY: ${{ secrets.APIM_APIKEY }}
           API_MTLS_CERT: ${{ secrets.API_MTLS_CERT }}
           API_MTLS_KEY: ${{ secrets.API_MTLS_KEY }}
+          APIM_KEY_ID: ${{ secrets.APIM_KEY_ID }}
+          CLIENT_REQUEST_TIMEOUT: ${{ secrets.CLIENT_REQUEST_TIMEOUT }}
         run: |
           cd pathology-api/target/
           FN="${{ steps.names.outputs.function_name }}"
@@ -146,6 +150,8 @@ jobs:
           API_KEY="${APIM_APIKEY:-/cds/pathology/dev/apim/api-key}"
           MTLS_CERT="${API_MTLS_CERT:-/cds/pathology/dev/mtls/client1-key-public}"
           MTLS_KEY="${API_MTLS_KEY:-/cds/pathology/dev/mtls/client1-key-secret}"
+          KEY_ID="${APIM_KEY_ID:-DEV-1}"
+          CLIENT_TIMEOUT="${CLIENT_REQUEST_TIMEOUT:-10s}"
           echo "Deploying preview function: $FN"
           wait_for_lambda_ready() {
             while true; do
@@ -167,14 +173,18 @@ jobs:
             wait_for_lambda_ready
             aws lambda update-function-configuration --function-name "$FN" \
               --handler "${{ env.LAMBDA_HANDLER }}" \
+              --memory-size 512 \
+              --timeout 30 \
               --environment "Variables={APIM_TOKEN_EXPIRY_THRESHOLD=$EXPIRY_THRESHOLD, \
                                         APIM_PRIVATE_KEY_NAME=$PRIVATE_KEY, \
                                         APIM_API_KEY_NAME=$API_KEY, \
                                         APIM_MTLS_CERT_NAME=$MTLS_CERT, \
                                         APIM_MTLS_KEY_NAME=$MTLS_KEY, \
-                                        APIM_TOKEN_URL=$MOCK_URL/apim, \
-                                        PDM_BUNDLE_URL=$MOCK_URL/pdm, \
+                                        APIM_KEY_ID=$KEY_ID, \
+                                        APIM_TOKEN_URL=$MOCK_URL/apim/oauth2/token, \
+                                        PDM_BUNDLE_URL=$MOCK_URL/apim/check_auth, \
                                         MNS_EVENT_URL=$MOCK_URL/mns, \
+                                        CLIENT_TIMEOUT=$CLIENT_TIMEOUT, \
                                         JWKS_SECRET_NAME=$JWKS_SECRET}" || true
             wait_for_lambda_ready
             aws lambda update-function-code --function-name "$FN" \
@@ -186,14 +196,18 @@ jobs:
               --handler "${{ env.LAMBDA_HANDLER }}" \
               --zip-file "fileb://artifact.zip" \
               --role "${{ steps.role-select.outputs.lambda_role }}" \
+              --memory-size 512 \
+              --timeout 30 \
               --environment "Variables={APIM_TOKEN_EXPIRY_THRESHOLD=$EXPIRY_THRESHOLD, \
                                         APIM_PRIVATE_KEY_NAME=$PRIVATE_KEY, \
                                         APIM_API_KEY_NAME=$API_KEY, \
+                                        APIM_KEY_ID=$KEY_ID, \
                                         APIM_MTLS_CERT_NAME=$MTLS_CERT, \
                                         APIM_MTLS_KEY_NAME=$MTLS_KEY, \
-                                        APIM_TOKEN_URL=$MOCK_URL/apim, \
-                                        PDM_BUNDLE_URL=$MOCK_URL/pdm, \
+                                        APIM_TOKEN_URL=$MOCK_URL/apim/oauth2/token, \
+                                        PDM_BUNDLE_URL=$MOCK_URL/apim/check_auth, \
                                         MNS_EVENT_URL=$MOCK_URL/mns, \
+                                        CLIENT_TIMEOUT=$CLIENT_TIMEOUT, \
                                         JWKS_SECRET_NAME=$JWKS_SECRET}" \
               --publish
             wait_for_lambda_ready

.github/workflows/stage-2-test.yaml

@@ -50,7 +50,7 @@ jobs:
           retention-days: 30
       - name: "Upload unit test results for mocks"
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: mock-unit-test-results
           path: mocks/test-artefacts/
@@ -60,93 +60,3 @@ jobs:
         uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
           paths: pathology-api/test-artefacts/unit-tests.xml
-
-  test-contract:
-    name: "Contract tests"
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-      - name: "Setup Python project"
-        uses: ./.github/actions/setup-python-project
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Run contract tests"
-        run: make test-contract
-      - name: "Upload contract test results"
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: contract-test-results
-          path: pathology-api/test-artefacts/
-          retention-days: 30
-      - name: "Publish contract test results to summary"
-        if: always()
-        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
-        with:
-          paths: pathology-api/test-artefacts/contract-tests.xml
-
-  test-schema:
-    name: "Schema validation tests"
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-      - name: "Setup Python project"
-        uses: ./.github/actions/setup-python-project
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Run schema validation tests"
-        run: make test-schema
-      - name: "Upload schema test results"
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: schema-test-results
-          path: pathology-api/test-artefacts/
-          retention-days: 30
-      - name: "Publish schema test results to summary"
-        if: always()
-        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
-        with:
-          paths: pathology-api/test-artefacts/schema-tests.xml
-
-  test-integration:
-    name: "Integration tests"
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-      - name: "Setup Python project"
-        uses: ./.github/actions/setup-python-project
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Start local Lambda"
-        uses: ./.github/actions/start-local-lambda
-        with:
-          python-version: ${{ inputs.python_version }}
-      - name: "Run integration test"
-        run: make test-integration
-      - name: "Upload integration test results"
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
-        with:
-          name: integration-test-results
-          path: pathology-api/test-artefacts/
-          retention-days: 30
-      - name: "Publish integration test results to summary"
-        if: always()
-        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
-        with:
-          paths: pathology-api/test-artefacts/integration-tests.xml

.vscode/settings.json

@@ -54,6 +54,10 @@
   "gitlens.ai.enabled": false,
   "python.testing.unittestEnabled": false,
   "python.testing.pytestEnabled": true,
+  "python.testing.pytestArgs": [
+    "pathology-api",
+    "mocks"
+  ],
   "git.enableCommitSigning": true,
   "sonarlint.connectedMode.project": {
     "connectionId": "nhsdigital",

pathology-api/lambda_handler.py

@@ -15,7 +15,6 @@
 from pathology_api.logging import get_logger
 
 _logger = get_logger(__name__)
-
 app = APIGatewayHttpResolver()
 
 type _ExceptionHandler[T: Exception] = Callable[[T], Response[str]]