BB2-4729: Parsing updates (#1549)

* parsing id token updates

* add test

* fix lint issues

* updated styling, added address parsing

* reactivate iat, ial, and auth checks

* Remove patient launch scope if applicable, adjust expiration to one hour

* Pull scopes into constants

* fix status codes and uncomment iat/ial

* keep the bots happy (remove str(e))

---------

Co-authored-by: clewellyn-nava <connorlewellyn@navapbc.com>
Co-authored-by: jimmyfagan <jimmyfagan@navapbc.com>

Author: 3 people

apps/authorization/models.py

@@ -48,10 +48,10 @@ def update_expiration_date(self):
             ) + relativedelta(months=+13)
             self.save()
 
-    def update_expiration_date_one_day(self) -> None:
+    def update_expiration_date_one_hour(self) -> None:
         self.expiration_date = datetime.now().replace(
             tzinfo=pytz.UTC
-        ) + relativedelta(hours=+24)
+        ) + relativedelta(hours=+1)
         self.save()
 
     def has_expired(self):
@@ -121,7 +121,7 @@ def create_or_update_data_access_grant_client_credential_flow(user, application)
         beneficiary=user,
         application=application,
     )
-    data_access_grant.update_expiration_date_one_day()
+    data_access_grant.update_expiration_date_one_hour()
     return data_access_grant
 
 

apps/capabilities/management/commands/create_blue_button_scopes.py

@@ -7,7 +7,7 @@
 from apps.capabilities.constants import FHIR_PREFIX_CREATE_BLUE_BUTTON_SCOPES
 from apps.capabilities.models import ProtectedCapability
 
-from apps.constants import HHS_SERVER_LOGNAME_FMT
+from apps.constants import HHS_SERVER_LOGNAME_FMT, LAUNCH_SCOPE, OPENID_SCOPE
 
 logger = logging.getLogger(HHS_SERVER_LOGNAME_FMT.format(__name__))
 
@@ -45,7 +45,7 @@ def create_openid_capability(group, title='Openid profile permissions.'):
     # Currently inert, but should be required with profile for profile information
     c = None
     description = 'Enables user authentication and provides a unique identifier with basic profile info.'
-    scope_string = 'openid'
+    scope_string = OPENID_SCOPE
     pr = []
 
     if not ProtectedCapability.objects.filter(slug=scope_string).exists():
@@ -269,7 +269,7 @@ def create_launch_capability(group, FHIR_PREFIX_CREATE_BLUE_BUTTON_SCOPES, title
 
     c = None
     description = 'Launch with FHIR Patient context.'
-    smart_scope_string = 'launch/patient'
+    smart_scope_string = LAUNCH_SCOPE
     pr = []
 
     if not ProtectedCapability.objects.filter(slug=smart_scope_string).exists():

apps/constants.py

@@ -104,6 +104,12 @@
     ],
 }
 
+COVERAGE_SCOPE = "patient/Coverage.rs"
+PATIENT_SCOPE = "patient/Patient.rs"
+EOB_SCOPE = "patient/ExplanationOfBenefit.rs"
+OPENID_SCOPE = "openid"
+LAUNCH_SCOPE = "launch/patient"
+
 OPERATION_OUTCOME = 'OperationOutcome'
 
 USER_TYPE_BENEFICIARY = 'BEN'

apps/dot_ext/constants.py

@@ -1,4 +1,5 @@
 import re
+from apps.constants import LAUNCH_SCOPE, OPENID_SCOPE
 
 # REGEX of paths that should be updated with auth flow info in hhs_oauth_server.request_logging.py
 AUTH_FLOW_REQUEST_LOGGING_PATHS_REGEX = ('(^/v[1|2|3]/o/authorize/.*'
@@ -83,15 +84,15 @@
     'patient/Coverage.r',
     'patient/Coverage.s',
     'patient/Coverage.rs',
-    'launch/patient',
-    'openid'
+    LAUNCH_SCOPE,
+    OPENID_SCOPE
 ]
 V2_SCOPES_ALL_CONDENSED = [
     'patient/Patient.rs',
     'patient/ExplanationOfBenefit.rs',
     'patient/Coverage.rs',
-    'launch/patient',
-    'openid'
+    LAUNCH_SCOPE,
+    OPENID_SCOPE
 ]
 V2_SCOPES_NON_DEMOGRAPHIC = [
     'patient/ExplanationOfBenefit.r',
@@ -100,14 +101,14 @@
     'patient/Coverage.r',
     'patient/Coverage.s',
     'patient/Coverage.rs',
-    'launch/patient',
-    'openid'
+    LAUNCH_SCOPE,
+    OPENID_SCOPE
 ]
 V2_SCOPES_NON_DEMOGRAPHIC_CONDENSED = [
     'patient/ExplanationOfBenefit.rs',
     'patient/Coverage.rs',
-    'launch/patient',
-    'openid'
+    LAUNCH_SCOPE,
+    OPENID_SCOPE
 ]
 
 # Scope to base URL PATH mapping.

apps/dot_ext/oauth2_server.py

@@ -30,7 +30,7 @@ def my_token_expires_in(request):
     # oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS
     # or one hour if the one_hour_token_expiry switch is active
     if expires_in is None:
-        if switch_is_active("one_hour_token_expiry"):
+        if switch_is_active("one_hour_token_expiry") or (grant_type[0] and grant_type[0] == CLIENT_CREDENTIALS):
             one_hour_delta = timedelta(hours=1)
             seconds_in_one_hour = int(one_hour_delta.total_seconds())
             expires_in = seconds_in_one_hour