[NRL-1051] Add initial impl for MHDS transaction API

mattdean3-nhs · mattdean3-nhs · commit 6dffea4d92c0 · 2024-11-26T17:23:57.000Z
diff --git a/Makefile b/Makefile
@@ -66,7 +66,7 @@ build-layers: ./layer/*
 		./scripts/build-lambda-layer.sh $${layer} $(DIST_PATH); \
 	done
 
-build-api-packages: ./api/consumer/* ./api/producer/*
+build-api-packages: ./api/consumer/* ./api/producer/* ./api/mhds-recipient/*
 	@echo "Building API packages"
 	@mkdir -p $(DIST_PATH)
 	for api in $^; do \
diff --git a/api/mhds-recipient/processTransaction/process_transaction.py b/api/mhds-recipient/processTransaction/process_transaction.py
@@ -0,0 +1,338 @@
+from uuid import uuid4
+
+from nrlf.core.codes import SpineErrorConcept
+from nrlf.core.constants import (
+    PERMISSION_AUDIT_DATES_FROM_PAYLOAD,
+    PERMISSION_SUPERSEDE_IGNORE_DELETE_FAIL,
+)
+from nrlf.core.decorators import request_handler
+from nrlf.core.dynamodb.repository import DocumentPointer, DocumentPointerRepository
+from nrlf.core.errors import OperationOutcomeError
+from nrlf.core.logger import LogReference, logger
+from nrlf.core.model import ConnectionMetadata
+from nrlf.core.response import NRLResponse, Response, SpineErrorResponse
+from nrlf.core.utils import create_fhir_instant
+from nrlf.core.validators import DocumentReferenceValidator
+from nrlf.producer.fhir.r4.model import (
+    BaseModel,
+    Bundle,
+    DocumentReference,
+    DocumentReferenceRelatesTo,
+    ExpressionItem,
+    Meta,
+    OperationOutcomeIssue,
+)
+
+
+def _set_create_time_fields(
+    create_time: str, document_reference: DocumentReference, nrl_permissions: list[str]
+) -> DocumentReference:
+    """
+    Set the date and lastUpdated timestamps on the provided DocumentReference
+    """
+    if not document_reference.meta:
+        document_reference.meta = Meta()
+    document_reference.meta.lastUpdated = create_time
+
+    if (
+        document_reference.date
+        and PERMISSION_AUDIT_DATES_FROM_PAYLOAD in nrl_permissions
+    ):
+        # Perserving the original date if it exists and the permission is set
+        logger.log(
+            LogReference.PROCREATE011,
+            id=document_reference.id,
+            date=document_reference.date,
+        )
+    else:
+        document_reference.date = create_time
+
+    return document_reference
+
+
+def _create_core_model(resource: DocumentReference, metadata: ConnectionMetadata):
+    """
+    Create the DocumentPointer model from the provided DocumentReference
+    """
+    creation_time = create_fhir_instant()
+    document_reference = _set_create_time_fields(
+        creation_time,
+        document_reference=resource,
+        nrl_permissions=metadata.nrl_permissions,
+    )
+
+    return DocumentPointer.from_document_reference(
+        document_reference, created_on=creation_time
+    )
+
+
+def _check_permissions(
+    core_model: DocumentPointer, metadata: ConnectionMetadata
+) -> Response | None:
+    """
+    Check the requester has permissions to create the DocumentReference
+    """
+    custodian_parts = tuple(
+        filter(None, (core_model.custodian, core_model.custodian_suffix))
+    )
+    if metadata.ods_code_parts != custodian_parts:
+        logger.log(
+            LogReference.PROCREATE004,
+            ods_code_parts=metadata.ods_code_parts,
+            custodian_parts=custodian_parts,
+        )
+        return SpineErrorResponse.BAD_REQUEST(
+            diagnostics="The custodian of the provided DocumentReference does not match the expected ODS code for this organisation",
+            expression="custodian.identifier.value",
+        )
+
+    if core_model.type not in metadata.pointer_types:
+        logger.log(
+            LogReference.PROCREATE005,
+            ods_code=metadata.ods_code,
+            type=core_model.type,
+            pointer_types=metadata.pointer_types,
+        )
+        return SpineErrorResponse.AUTHOR_CREDENTIALS_ERROR(
+            diagnostics="The type of the provided DocumentReference is not in the list of allowed types for this organisation",
+            expression="type.coding[0].code",
+        )
+
+    return None
+
+
+def _get_document_ids_to_supersede(
+    resource: DocumentReference,
+    core_model: DocumentPointer,
+    metadata: ConnectionMetadata,
+    repository: DocumentPointerRepository,
+    can_ignore_delete_fail: bool,
+) -> list[str]:
+    """
+    Get the list of document IDs to supersede based on the relatesTo field
+    """
+    if not resource.relatesTo:
+        return []
+
+    logger.log(LogReference.PROCREATE006, relatesTo=resource.relatesTo)
+    ids_to_delete: list[str] = []
+
+    for idx, relates_to in enumerate(resource.relatesTo):
+        identifier = _validate_identifier(relates_to, idx)
+        _validate_producer_id(identifier, metadata, idx)
+
+        if not can_ignore_delete_fail:
+            existing_pointer = _check_existing_pointer(identifier, repository, idx)
+            _validate_pointer_details(existing_pointer, core_model, identifier, idx)
+
+        _append_id_if_replaces(relates_to, ids_to_delete, identifier)
+
+    return ids_to_delete
+
+
+def _validate_identifier(
+    relates_to: DocumentReferenceRelatesTo, idx: str
+) -> str | None:
+    """
+    Validate that there is a identifier in relatesTo target
+    """
+    identifier = getattr(relates_to.target.identifier, "value", None)
+    if not identifier:
+        logger.log(LogReference.PROCREATE007a)
+        _raise_operation_outcome_error(
+            "No identifier value provided for relatesTo target", idx
+        )
+    return identifier
+
+
+def _validate_producer_id(identifier, metadata, idx):
+    """
+    Validate that there is an ODS code in the relatesTo target identifier
+    """
+    producer_id = identifier.split("-", 1)[0]
+    if metadata.ods_code_parts != tuple(producer_id.split("|")):
+        logger.log(
+            LogReference.PROCREATE007b,
+            related_identifier=identifier,
+            ods_code_parts=metadata.ods_code_parts,
+        )
+        _raise_operation_outcome_error(
+            "The relatesTo target identifier value does not include the expected ODS code for this organisation",
+            idx,
+        )
+
+
+def _check_existing_pointer(identifier, repository, idx):
+    """
+    Check that there is an existing pointer that will be deleted when superseding
+    """
+    existing_pointer = repository.get_by_id(identifier)
+    if not existing_pointer:
+        logger.log(LogReference.PROCREATE007c, related_identifier=identifier)
+        _raise_operation_outcome_error(
+            "The relatesTo target document does not exist", idx
+        )
+    return existing_pointer
+
+
+def _validate_pointer_details(existing_pointer, core_model, identifier, idx):
+    """
+    Validate that the nhs numbers and type matches between the existing pointer and the requested one.
+    """
+    if existing_pointer.nhs_number != core_model.nhs_number:
+        logger.log(LogReference.PROCREATE007d, related_identifier=identifier)
+        _raise_operation_outcome_error(
+            "The relatesTo target document NHS number does not match the NHS number in the request",
+            idx,
+        )
+
+    if existing_pointer.type != core_model.type:
+        logger.log(LogReference.PROCREATE007e, related_identifier=identifier)
+        _raise_operation_outcome_error(
+            "The relatesTo target document type does not match the type in the request",
+            idx,
+        )
+
+
+def _append_id_if_replaces(relates_to, ids_to_delete, identifier):
+    """
+    Append pointer ID if the if the relatesTo code is 'replaces'
+    """
+    if relates_to.code == "replaces":
+        logger.log(
+            LogReference.PROCREATE008,
+            relates_to_code=relates_to.code,
+            identifier=identifier,
+        )
+        ids_to_delete.append(identifier)
+
+
+def _raise_operation_outcome_error(diagnostics, idx):
+    """
+    General function to raise an operation outcome error
+    """
+    raise OperationOutcomeError(
+        severity="error",
+        code="invalid",
+        details=SpineErrorConcept.from_code("BAD_REQUEST"),
+        diagnostics=diagnostics,
+        expression=[f"relatesTo[{idx}].target.identifier.value"],
+    )
+
+
+def create_document_reference(
+    metadata: ConnectionMetadata,
+    repository: DocumentPointerRepository,
+    document_reference: DocumentReference,
+) -> Response:
+
+    logger.log(LogReference.PROCREATE000)
+    logger.log(LogReference.PROCREATE001, resource=body)
+
+    id_prefix = "|".join(metadata.ods_code_parts)
+    body.id = f"{id_prefix}-{uuid4()}"
+
+    validator = DocumentReferenceValidator()
+    result = validator.validate(body)
+
+    if not result.is_valid:
+        logger.log(LogReference.PROCREATE002)
+        return Response.from_issues(issues=result.issues, statusCode="400")
+
+    core_model = _create_core_model(result.resource, metadata)
+    if error_response := _check_permissions(core_model, metadata):
+        return error_response
+
+    can_ignore_delete_fail = (
+        PERMISSION_SUPERSEDE_IGNORE_DELETE_FAIL in metadata.nrl_permissions
+    )
+
+    if ids_to_delete := _get_document_ids_to_supersede(
+        result.resource, core_model, metadata, repository, can_ignore_delete_fail
+    ):
+        logger.log(
+            LogReference.PROCREATE010,
+            pointer_id=result.resource.id,
+            ids_to_delete=ids_to_delete,
+        )
+        repository.supersede(core_model, ids_to_delete, can_ignore_delete_fail)
+        logger.log(LogReference.PROCREATE999)
+        return NRLResponse.RESOURCE_SUPERSEDED(resource_id=result.resource.id)
+
+    logger.log(LogReference.PROCREATE009, pointer_id=result.resource.id)
+    repository.create(core_model)
+    logger.log(LogReference.PROCREATE999)
+    return NRLResponse.RESOURCE_CREATED(resource_id=result.resource.id)
+
+
+@request_handler(body=Bundle)
+def handler(
+    metadata: ConnectionMetadata,
+    repository: DocumentPointerRepository,
+    body: Bundle,
+) -> Response:
+    """
+    Handles an MHDS transaction bundle request.
+
+    Currently limited to register requests only.
+
+    Args:
+        metadata (ConnectionMetadata): The connection metadata.
+        repository (DocumentPointerRepository): The document pointer repository.
+        body (Bundle): The bundle containing the resources to process.
+
+    Returns:
+        Response: The response indicating the result of the operation.
+    """
+    if not body.meta.profile[0].endswith(
+        "profiles.ihe.net/ITI/MHD/StructureDefinition/IHE.MHD.UnContained.Comprehensive.ProvideBundle"
+    ):
+        return SpineErrorResponse.BAD_REQUEST(
+            diagnostics="Only IHE.MHD.UnContained.Comprehensive.ProvideBundle profiles are supported",
+            expression="meta.profile",
+        )
+
+    if body.type != "transaction":
+        return SpineErrorResponse.BAD_REQUEST(
+            diagnostics="Only transaction bundles are supported",
+            expression="type",
+        )
+
+    if body.entry is None:
+        return SpineErrorResponse.BAD_REQUEST(
+            diagnostics="The bundle must contain at least one entry", expression="entry"
+        )
+
+    document_references: list[DocumentReference] = []
+
+    # TODO - Handle this better
+    issues: list[BaseModel] = []
+
+    for entry in body.entry:
+        if not entry.resource or entry.resource.resourceType != "DocumentReference":
+            issues.append(
+                OperationOutcomeIssue(
+                    severity="error",
+                    code="exception",
+                    diagnostics="Only DocumentReference resources are supported",
+                    expression=[ExpressionItem("entry.resource.resourceType")],
+                    details=SpineErrorConcept.from_code("BAD_REQUEST"),
+                )
+            )
+
+        document_references.append(DocumentReference.model_validate(entry.resource))
+
+    if issues:
+        return Response.from_issues(issues, statusCode="400")
+
+    responses: list[Response] = []
+    for document_reference in document_references:
+        try:
+            create_response = create_document_reference(
+                metadata, repository, document_reference
+            )
+            responses.append(create_response)
+        except OperationOutcomeError as e:
+            responses.append(e.response)
+
+    return NRLResponse.BUNDLE_CREATED(responses)
diff --git a/terraform/infrastructure/api_gateway.tf b/terraform/infrastructure/api_gateway.tf
@@ -34,6 +34,7 @@ module "producer__gateway" {
     method_upsertDocumentReference     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--upsertDocumentReference", 0, 64)}/invocations"
     method_deleteDocumentReference     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--deleteDocumentReference", 0, 64)}/invocations"
     method_status                      = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--status", 0, 64)}/invocations"
+    method_mhdsProcessTransation       = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--mhdsRecipient--processTransaction", 0, 64)}/invocations"
   }
 
   kms_key_id                   = module.kms__cloudwatch.kms_arn
diff --git a/terraform/infrastructure/lambda.tf b/terraform/infrastructure/lambda.tf
@@ -381,3 +381,33 @@ module "producer__status" {
   handler   = "status.handler"
   retention = var.log_retention_period
 }
+
+module "mhdsReceiver__processTransactionBundle" {
+  source                 = "./modules/lambda"
+  parent_path            = "api/mhds-recipient"
+  name                   = "processTransaction"
+  region                 = local.region
+  prefix                 = local.prefix
+  layers                 = [module.nrlf.layer_arn, module.third_party.layer_arn, module.nrlf_permissions.layer_arn]
+  api_gateway_source_arn = ["arn:aws:execute-api:${local.region}:${local.aws_account_id}:${module.producer__gateway.api_gateway_id}/*/GET/_status"]
+  kms_key_id             = module.kms__cloudwatch.kms_arn
+  environment_variables = {
+    PREFIX               = "${local.prefix}--"
+    ENVIRONMENT          = local.environment
+    AUTH_STORE           = local.auth_store_id
+    POWERTOOLS_LOG_LEVEL = local.log_level
+    SPLUNK_INDEX         = module.firehose__processor.splunk.index
+    DYNAMODB_TIMEOUT     = local.dynamodb_timeout_seconds
+    TABLE_NAME           = local.pointers_table_name
+  }
+  additional_policies = [
+    local.pointers_table_read_policy_arn,
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
+  ]
+  firehose_subscriptions = [
+    module.firehose__processor.firehose_subscription
+  ]
+  handler   = "process_transaction_bundle.handler"
+  retention = var.log_retention_period
+}

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ module "producer__gateway" {`
`34`	`34`	`method_upsertDocumentReference = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--upsertDocumentReference", 0, 64)}/invocations"`
`35`	`35`	`method_deleteDocumentReference = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--deleteDocumentReference", 0, 64)}/invocations"`
`36`	`36`	`method_status = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--producer--status", 0, 64)}/invocations"`
	`37`	`+ method_mhdsProcessTransation = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${local.aws_account_id}:function:${substr("${local.prefix}--api--mhdsRecipient--processTransaction", 0, 64)}/invocations"`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`kms_key_id = module.kms__cloudwatch.kms_arn`