Merge pull request #557 from NHSDigital/feature/thju1-NRL-578-implementValidationFramework

NRL-578 Integration tests

Author: Tomdango

api/producer/createDocumentReference/create_document_reference.py

@@ -58,8 +58,8 @@ def handler(
 
     logger.log(LogReference.PROCREATE001, resource=body)
 
-    ods_prefix = metadata.ods_code_parts[0]
-    body.id = f"{ods_prefix}-{uuid4()}"
+    id_prefix = "|".join(metadata.ods_code_parts)
+    body.id = f"{id_prefix}-{uuid4()}"
 
     validator = DocumentReferenceValidator()
     result = validator.validate(body)

api/producer/searchDocumentReference/search_document_reference.py

@@ -30,12 +30,12 @@ def handler(
 
     logger.log(LogReference.PROSEARCH000)
 
-    if not params.nhs_number:
+    if params.subject_identifier and not params.nhs_number:
         logger.log(
             LogReference.PROSEARCH001, subject_identifier=params.subject_identifier
         )
         return SpineErrorResponse.INVALID_NHS_NUMBER(
-            diagnostics="A valid NHS number is required to search for document references",
+            diagnostics="Invalid NHS number provided in the search parameters",
             expression="subject:identifier",
         )
 

api/producer/searchDocumentReference/tests/test_search_document_reference_producer.py

@@ -75,28 +75,14 @@ def test_search_document_reference_missing_nhs_number(
     result = handler(event, create_mock_context())
     body = result.pop("body")
 
-    assert result == {"statusCode": "400", "headers": {}, "isBase64Encoded": False}
+    assert result == {"statusCode": "200", "headers": {}, "isBase64Encoded": False}
 
     parsed_body = json.loads(body)
     assert parsed_body == {
-        "resourceType": "OperationOutcome",
-        "issue": [
-            {
-                "severity": "error",
-                "code": "invalid",
-                "details": {
-                    "coding": [
-                        {
-                            "code": "INVALID_NHS_NUMBER",
-                            "display": "Invalid NHS number",
-                            "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
-                        }
-                    ]
-                },
-                "diagnostics": "A valid NHS number is required to search for document references",
-                "expression": ["subject:identifier"],
-            }
-        ],
+        "resourceType": "Bundle",
+        "type": "searchset",
+        "total": 0,
+        "entry": [],
     }
 
 
@@ -133,7 +119,7 @@ def test_search_document_reference_invalid_nhs_number(
                         }
                     ]
                 },
-                "diagnostics": "A valid NHS number is required to search for document references",
+                "diagnostics": "Invalid NHS number provided in the search parameters",
                 "expression": ["subject:identifier"],
             }
         ],

tests/features/consumer/countDocumentReference-failure.feature

@@ -2,14 +2,14 @@ Feature: Consumer - countDocumentReference - Failure Scenarios
 
   Scenario: No query parameters provided
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter | value |
     Then the response status code is 400
     And the response is an OperationOutcome with 1 issue
-    And the OperationOutcome contains the following issue:
+    And the OperationOutcome contains the issue:
       """
       {
         "severity": "error",
@@ -28,15 +28,15 @@ Feature: Consumer - countDocumentReference - Failure Scenarios
 
   Scenario: Invalid NHS number provided
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                  |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|123 |
     Then the response status code is 400
     And the response is an OperationOutcome with 1 issue
-    And the OperationOutcome contains the following issue:
+    And the OperationOutcome contains the issue:
       """
       {
         "severity": "error",
@@ -55,14 +55,14 @@ Feature: Consumer - countDocumentReference - Failure Scenarios
 
   Scenario: Organisation has no permissions
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system | value |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                        |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|999999999 |
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
-    And the OperationOutcome contains the following issue:
+    And the OperationOutcome contains the issue:
       """
       {
         "severity": "error",
@@ -81,12 +81,14 @@ Feature: Consumer - countDocumentReference - Failure Scenarios
   Scenario: Organisation has no permissions in S3
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the application is configured to lookup permissions from S3
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    And the organisation 'RX898' is authorised in S3 to access pointer types
+      | system | value |
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                        |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|999999999 |
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
-    And the OperationOutcome contains the following issue:
+    And the OperationOutcome contains the issue:
       """
       {
         "severity": "error",

tests/features/consumer/countDocumentReference-success.feature

@@ -2,7 +2,7 @@ Feature: Consumer - countDocumentReference - Success Scenarios
 
   Scenario: Single pointer found for patient
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
     And a DocumentReference resource exists with values:
@@ -14,16 +14,17 @@ Feature: Consumer - countDocumentReference - Success Scenarios
       | contentType | application/pdf                  |
       | url         | https://example.org/my-doc.pdf   |
       | custodian   | 8FW23                            |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                         |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|9278693472 |
     Then the response status code is 200
-    And the response is a searchset Bundle with a total of 1
+    And the response is a searchset Bundle
+    And the Bundle has a total of 1
     And the response does not contain the key 'entry'
 
   Scenario: No pointers found for patient
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value     |
       | http://snomed.info/sct | 736253002 |
     And a DocumentReference resource exists with values:
@@ -35,16 +36,17 @@ Feature: Consumer - countDocumentReference - Success Scenarios
       | contentType | application/pdf                  |
       | url         | https://example.org/my-doc.pdf   |
       | custodian   | 8FW23                            |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                         |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|9995001624 |
     Then the response status code is 200
-    And the response is a searchset Bundle with a total of 0
+    And the response is a searchset Bundle
+    And the Bundle has a total of 0
     And the response does not contain the key 'entry'
 
   Scenario: Multiple pointers found for patient
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And the organisation 'Yorkshire Ambulance Service' (ODS Code 'RX898') is authorised to access pointer types:
+    And the organisation 'RX898' is authorised to access pointer types:
       | system                 | value           |
       | http://snomed.info/sct | 736253002       |
       | http://snomed.info/sct | 887701000000100 |
@@ -75,9 +77,10 @@ Feature: Consumer - countDocumentReference - Success Scenarios
       | contentType | application/pdf                 |
       | url         | https://example.org/my-doc3.pdf |
       | custodian   | 8FW23                           |
-    When the organisation 'RX898' requests to count DocumentReferences with parameters:
+    When consumer 'RX898' counts DocumentReferences with parameters:
       | parameter          | value                                         |
       | subject:identifier | https://fhir.nhs.uk/Id/nhs-number\|9278693472 |
     Then the response status code is 200
-    And the response is a searchset Bundle with a total of 3
+    And the response is a searchset Bundle
+    And the Bundle has a total of 3
     And the response does not contain the key 'entry'

tests/features/consumer/readDocumentReference-failure.feature

@@ -1,5 +1,177 @@
-# No path params provided or no ID in params
-# No permissions to access resource in request params
-# No permissions to access resource in S3 bucket
-# Attempt to access pointer type without permissions
 # Invalid ID (X26|Something-)
+Feature: Consumer - readDocumentReference - Failure Scenarios
+
+  Scenario: Pointer not found
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    Then the response status code is 404
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "not-found",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "NO_RECORD_FOUND",
+              "display": "No record found"
+            }
+          ]
+        },
+        "diagnostics": "The requested DocumentReference could not be found"
+      }
+      """
+
+  # TODO: This scenario is not valid as the ID is not valid - additional validation required
+  Scenario: Invalid ID in path parameters
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When consumer 'RX898' reads a DocumentReference with ID 'X26`DROP TABLE 'pointers';--Something-000000000-000000000'
+    Then the response status code is 404
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "not-found",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "NO_RECORD_FOUND",
+              "display": "No record found"
+            }
+          ]
+        },
+        "diagnostics": "The requested DocumentReference could not be found"
+      }
+      """
+
+  Scenario: No permissions to access any resources
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system | value |
+    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "Your organisation 'RX898' does not have permission to access this resource. Contact the onboarding team."
+      }
+      """
+
+  Scenario: No permissions to access specific pointer type
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    And a DocumentReference resource exists with values:
+      | property    | value                                  |
+      | id          | 02V-1111111111-ReadDocRefNoAuthForType |
+      | subject     | 9278693472                             |
+      | status      | current                                |
+      | type        | 887701000000100                        |
+      | contentType | application/pdf                        |
+      | url         | https://example.org/my-doc.pdf         |
+      | custodian   | 02V                                    |
+    When consumer 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForType'
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "The requested DocumentReference is not of a type that this organisation is allowed to access"
+      }
+      """
+
+  Scenario: No permissions to access any pointers in S3
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the application is configured to lookup permissions from S3
+    And the organisation 'RX898' is authorised in S3 to access pointer types:
+      | system | value |
+    When consumer 'RX898' reads a DocumentReference with ID 'X26-000000000-000000000'
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "Your organisation 'RX898' does not have permission to access this resource. Contact the onboarding team."
+      }
+      """
+
+  Scenario: No permissions to access specific pointer type in S3
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the application is configured to lookup permissions from S3
+    And the organisation 'RX898' is authorised in S3 to access pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    And a DocumentReference resource exists with values:
+      | property    | value                                    |
+      | id          | 02V-1111111111-ReadDocRefNoAuthForTypeS3 |
+      | subject     | 9278693472                               |
+      | status      | current                                  |
+      | type        | 887701000000100                          |
+      | contentType | application/pdf                          |
+      | url         | https://example.org/my-doc.pdf           |
+      | custodian   | 02V                                      |
+    When consumer 'RX898' reads a DocumentReference with ID '02V-1111111111-ReadDocRefNoAuthForTypeS3'
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "The requested DocumentReference is not of a type that this organisation is allowed to access"
+      }
+      """