NHSDigital
diff --git a/‎.github/workflows/preview-env.yaml‎
Lines changed: 8 additions & 3 deletions b/‎.github/workflows/preview-env.yaml‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎.github/workflows/stage-2-test.yaml‎
Lines changed: 30 additions & 2 deletions b/‎.github/workflows/stage-2-test.yaml‎
Lines changed: 30 additions & 2 deletions
diff --git a/‎Makefile‎
Lines changed: 0 additions & 11 deletions b/‎Makefile‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎infrastructure/environments/preview/handler.py‎
Lines changed: 0 additions & 42 deletions b/‎infrastructure/environments/preview/handler.py‎
Lines changed: 0 additions & 42 deletions
diff --git a/‎mocks/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎mocks/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎mocks/README.md‎
Lines changed: 28 additions & 1 deletion b/‎mocks/README.md‎
Lines changed: 28 additions & 1 deletion
diff --git a/‎mocks/src/apim_mock/handler.py‎
Lines changed: 36 additions & 36 deletions b/‎mocks/src/apim_mock/handler.py‎
Lines changed: 36 additions & 36 deletions
@@ -195,18 +195,23 @@ jobs:
           echo "url      = ${{ steps.names.outputs.preview_url }}"
 
       # ---------- Handle mock endpoints ----------
+      - name: Get Secrets for mocks
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802
+        with:
+          secret-ids: |
+            /cds/pathology/dev/jwks/secret
+          name-transformation: lowercase
+
       - name: Create or update mock Lambda (on open/sync/reopen)
         if: github.event.action != 'closed'
         env:
           TOKEN_EXPIRY_TIME: ${{ secrets.TOKEN_LIFETIME }}
-          JWT_ALGORITHMS: "RS512"
           AUTH_URL: "${{ steps.names.outputs.mock_preview_url }}/oauth2/token"
-          JWKS_SECRET: "${{ secrets.JWKS_SECRET }}"
+          JWKS_SECRET: ${{ env._cds_pathology_dev_jwks_secret }}
           PUBLIC_KEY_URL: "https://example.com"
           TOKEN_TABLE_NAME: "mock_services_dev"
         run: |
           cd mocks/target/
-          JWKS_SECRET="${JWKS_SECRET_NAME:-/cds/pathology/dev/jwks/secret}"
           MFN="${{ steps.names.outputs.mock_function_name }}"
           SAFE="${{ steps.branch.outputs.safe }}"
           TOKEN_LIFETIME="${TOKEN_EXPIRY_TIME:-15m}"
 
@@ -40,13 +40,20 @@ jobs:
           python-version: ${{ inputs.python_version }}
       - name: "Run unit test suite"
         run: make test-unit
-      - name: "Upload unit test results"
+      - name: "Upload unit test results for pathology-api"
         if: always()
         uses: actions/upload-artifact@v6
         with:
           name: unit-test-results
           path: pathology-api/test-artefacts/
           retention-days: 30
+      - name: "Upload unit test results for mocks"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: mock-unit-test-results
+          path: mocks/test-artefacts/
+          retention-days: 30
       - name: "Publish unit test results to summary"
         if: always()
         uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
@@ -191,19 +198,35 @@ jobs:
         with:
           path: pathology-api/test-artefacts/
           merge-multiple: false
+      - name: "Download mock test coverage artefacts"
+        uses: actions/download-artifact@v7
+        with:
+          name: mock-unit-test-results
+          path: mocks/test-artefacts/
+          merge-multiple: false
       - name: "Merge coverage data"
         run: make test-coverage
       - name: "Rename coverage XML with unique name"
         run: |
           cd pathology-api/test-artefacts
           mv coverage-merged.xml ${{ needs.create-coverage-name.outputs.coverage-name }}.xml
+          cd ../..
+          cd mocks/test-artefacts
+          mv coverage-merged.xml ${{ needs.create-coverage-name.outputs.coverage-name }}-mocks.xml
       - name: "Upload combined coverage report"
         if: always()
         uses: actions/upload-artifact@v6
         with:
           name: ${{ needs.create-coverage-name.outputs.coverage-name }}
           path: pathology-api/test-artefacts
           retention-days: 30
+      - name: "Upload mocks coverage report"
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: ${{ needs.create-coverage-name.outputs.coverage-name }}-mocks
+          path: mocks/test-artefacts
+          retention-days: 30
 
   sonarcloud-analysis:
     name: "SonarCloud Analysis"
@@ -221,6 +244,11 @@ jobs:
         with:
           name: ${{ needs.create-coverage-name.outputs.coverage-name }}
           path: coverage-reports/
+      - name: "Download mock coverage report"
+        uses: actions/download-artifact@v7
+        with:
+          name: ${{ needs.create-coverage-name.outputs.coverage-name }}-mocks
+          path: coverage-reports/
       - name: "SonarCloud Scan"
         uses: SonarSource/sonarqube-scan-action@v7
         env:
@@ -229,4 +257,4 @@ jobs:
           args: >
             -Dsonar.organization=${{ vars.SONAR_ORGANISATION_KEY }}
             -Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY }}
-            -Dsonar.python.coverage.reportPaths=coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}.xml
+            -Dsonar.python.coverage.reportPaths=coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}.xml,coverage-reports/${{ needs.create-coverage-name.outputs.coverage-name }}-mocks.xml
@@ -92,17 +92,6 @@ deploy: clean-docker build-images # Deploy the project artefact to the target en
 	$(docker) run --name api-gateway-mock -p 5002:5000 --network $(dockerNetwork) -d localhost/api-gateway-mock-image
 	$(docker) run --name api-gateway-mock-2 -p 5005:5000 -e TARGET_CONTAINER='MOCKS' --network $(dockerNetwork) -d localhost/api-gateway-mock-image
 
-# .PHONY: quick-deploy-mock
-# quick-deploy-mock: build-mocks
-# 	@echo "Stopping mocks container..."
-# 	@$(docker) stop mocks || echo "No mocks container currently running."
-
-# 	@echo "Removing mocks container..."
-# 	@$(docker) rm mocks || echo "No mocks container currently exists."
-
-# 	@$(docker) run --platform linux/amd64 --name mocks -p 5003:8080 --network $(dockerNetwork) -d localhost/mocks-image
-
-
 clean-artifacts:
 	@echo "Removing build artefacts..."
 	@rm -rf infrastructure/images/pathology-api/resources/build/
 
@@ -1,3 +1,4 @@
 /target
 /dist
 /.coverage
+/test-artefacts
@@ -2,10 +2,37 @@
 
 ## Testing
 
+There are currently only unit tests for the mocks
+
 ### Continuous
 
+All tests run automatically in the CI/CD pipeline on every push and pull request. **Any test failure at any level will cause the pipeline to fail and prevent the PR from being merged.**
+
+Additionally, code coverage is collected from all test types, merged, and analyzed by SonarCloud. PRs must meet minimum coverage thresholds to pass quality gates.
+
 ### Quick Test Commands
 
+```bash
+# Run all unit, contract, and schema tests
+poetry run pytest -v
+```
+
 ## Project Structure
 
-### Implementing new mock
+```text
+mocks
+├── src
+│   └── apim_mock
+│       ├── __init__.py
+│       ├── auth_check.py
+│       └── handler.py
+├── tests
+│   └── apim_mock
+├── README.md
+├── lambda_handler.py
+└── pyproject.toml
+```
+
+### Implementing a new mock
+
+Create a new package under the `src` folder
@@ -16,7 +16,7 @@
 AUTH_URL = os.environ.get("AUTH_URL", "https://api.service.nhs.uk/oauth2/token")
 PUBLIC_KEY_URL = os.environ.get("PUBLIC_KEY_URL", "https://example.com")
 API_KEY = os.environ.get("API_KEY", "api_key")
-TOKEN_TABLE_NAME = os.environ.get("TOKEN_TABLE_NAME", "")
+TOKEN_TABLE_NAME = os.environ.get("TOKEN_TABLE_NAME", "table_name")
 BRANCH_NAME = os.environ.get("DDB_INDEX_TAG", "")
 
 
@@ -40,7 +40,7 @@ def handle_request(payload: dict[str, Any]) -> dict[str, Any]:
 
     _validate_assertions(assertions)
 
-    token = generate_random_token()
+    token = _generate_random_token()
 
     item = {
         "access_token": token,
@@ -61,6 +61,39 @@ def handle_request(payload: dict[str, Any]) -> dict[str, Any]:
     return response
 
 
+def _validate_payload(payload: dict[str, Any]) -> None:
+    if not payload.get("grant_type"):
+        raise ValueError("grant_type is missing")
+    client_assertion_type = payload.get("client_assertion_type")
+    if (
+        not client_assertion_type
+        or client_assertion_type[0]
+        != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+    ):
+        raise ValueError(
+            "Missing or invalid client_assertion_type - "
+            "must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'"
+        )
+    if not payload.get("client_assertion"):
+        raise ValueError("Missing client_assertion")
+
+
+def _get_jwt_headers(client_assertion: str) -> dict[str, Any]:
+    unverified_headers = jwt.get_unverified_header(client_assertion)  # noqa: S5659
+    _logger.debug("unverified headers: %s", unverified_headers)
+    algorithm = unverified_headers.get("alg", "")
+    if algorithm not in JWT_ALGORITHMS:
+        raise ValueError(
+            "Invalid 'alg' header in client_assertion JWT - unsupported JWT algorithm"
+            " - must be 'RS512'"
+        )
+
+    if not unverified_headers.get("kid"):
+        raise ValueError("Missing 'kid' header in client_assertion JWT")
+
+    return unverified_headers
+
+
 def _get_jwk_key_from_url_by_kid(kid: str) -> Any:
 
     # TODO - once we have our endpoint setup we can query it here
@@ -100,23 +133,6 @@ def _get_jwk_key_from_url_by_kid(kid: str) -> Any:
     return key
 
 
-def _validate_payload(payload: dict[str, Any]) -> None:
-    if not payload.get("grant_type"):
-        raise ValueError("grant_type is missing")
-    client_assertion_type = payload.get("client_assertion_type")
-    if (
-        not client_assertion_type
-        or client_assertion_type[0]
-        != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
-    ):
-        raise ValueError(
-            "Missing or invalid client_assertion_type - "
-            "must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'"
-        )
-    if not payload.get("client_assertion"):
-        raise ValueError("Missing client_assertion")
-
-
 def _validate_assertions(assertions: dict[str, Any]) -> None:
     expected_api_key = API_KEY
 
@@ -142,30 +158,14 @@ def _validate_assertions(assertions: dict[str, Any]) -> None:
         raise ValueError("Missing exp claim in assertions")
 
 
-def _get_jwt_headers(client_assertion: str) -> dict[str, Any]:
-    unverified_headers = jwt.get_unverified_header(client_assertion)
-    _logger.debug("unverified headers: %s", unverified_headers)
-    algorithm = unverified_headers.get("alg", "")
-    if algorithm not in JWT_ALGORITHMS:
-        raise ValueError(
-            "Invalid 'alg' header in client_assertion JWT - unsupported JWT algorithm"
-            " - must be 'RS512'"
-        )
-
-    if not unverified_headers.get("kid"):
-        raise ValueError("Missing 'kid' header in client_assertion JWT")
-
-    return unverified_headers
-
-
 def check_valid_uuid4(string: str) -> bool:
     uuid_regex = (
         r"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$"
     )
     return re.match(uuid_regex, string) is not None
 
 
-def generate_random_token() -> str:
+def _generate_random_token() -> str:
     return "".join(
         secrets.choice(
             "-._~+/" + string.ascii_uppercase + string.ascii_lowercase + string.digits
-Original file line number
+Diff line change
@@ @@ -1,3 +1,4 @@ @@
 /target
 /dist
 /.coverage
 +/test-artefacts