Merge pull request #1423 from NHSDigital/feature/ERSSUP-71856

ERSSUP-71856 Decode ID token and set IAL claim as a new header

Author: paul-forrester-bjss

azure/project.yml

@@ -3,5 +3,5 @@ variables:
   short_service_name: ers
   service_base_path: referrals
   product_display_name: e-Referrals-Service
-  product_description: The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://developer.nhs.uk/apis/e-Referrals/index.html
-  spec_file: e-referrals-service-api.json
+  product_description: The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://digital.nhs.uk/developer/api-catalogue/e-referral-service-fhir
+  spec_file: e-referrals-service-api.json

proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-acr-header.xml

@@ -0,0 +1,9 @@
+<AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-acr-header">
+    <Set>
+        <Headers>
+            <Header name="x-ers-acr">{jwt.DecodeJWT-id-token.decoded.claim.acr}</Header>
+        </Headers>
+    </Set>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false"/>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-amr-header.xml

@@ -0,0 +1,9 @@
+<AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-amr-header">
+    <Set>
+        <Headers>
+            <Header name="x-ers-amr">{accesstoken.id_token-amr}</Header>
+        </Headers>
+    </Set>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false"/>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-id-assurance-level-header.xml

@@ -0,0 +1,9 @@
+<AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-id-assurance-level-header">
+    <Set>
+        <Headers>
+            <Header name="x-ers-id-assurance-level">{jwt.DecodeJWT-id-token.decoded.claim.id_assurance_level}</Header>
+        </Headers>
+    </Set>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false"/>
+</AssignMessage>

proxies/live/apiproxy/policies/DecodeJWT-id-token.xml

@@ -0,0 +1,3 @@
+<DecodeJWT continueOnError="true" name="DecodeJWT-id-token">
+    <Source>accesstoken.id_token</Source>
+</DecodeJWT>

proxies/live/apiproxy/targets/ers-target.xml

@@ -113,6 +113,14 @@
                     <Condition>(request.header.nhsd-ers-referral-id ~~ ".+")</Condition>
                 </Step> <Step>
                     <Name>AssignMessage.Remove.x-request-id-header</Name>
+                </Step><Step>
+                    <Name>AssignMessage.Set.x-ers-amr-header</Name>
+                </Step><Step>
+                    <Name>DecodeJWT-id-token</Name>
+                </Step><Step>
+                    <Name>AssignMessage.Set.x-ers-acr-header</Name>
+                </Step><Step>
+                    <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
                 </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %}<Step>
                     <Name>AssignMessage.SetEchoTarget</Name>
                     <Condition>(request.header.echo)</Condition>

specification/e-referrals-service-api.yaml

@@ -8,7 +8,7 @@ x-nhsd-api-platform:
     short_service_name: ers
     service_base_path: referrals
     product_display_name: e-Referrals-Service
-    product_description: 'The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://developer.nhs.uk/apis/e-Referrals/index.html'
+    product_description: 'The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://digital.nhs.uk/developer/api-catalogue/e-referral-service-fhir'
     pipeline_name_prefix: E-Referrals-Service
 info:
   version: 0.0.1

terraform/main.tf

@@ -22,5 +22,5 @@ module "e-referrals-service-api" {
   namespace                = var.namespace
   make_api_product         = !(length(regexall("sandbox", var.apigee_environment)) > 0)
   api_product_display_name = length(var.namespace) > 0 ? "e-referrals-service-api${var.namespace}" : "e-Referrals-Service"
-  api_product_description  = "The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://developer.nhs.uk/apis/e-Referrals/index.html"
+  api_product_description  = "The NHS e-RS vision is to enable local innovation and adoption of paperless referrals. To support this vision NHS Digital have created a set of APIs which provide a well-defined, simple to use data interface to the NHS e-Referral Service (e-RS). See https://digital.nhs.uk/developer/api-catalogue/e-referral-service-fhir"
 }

tests/integration/test_headers.py

@@ -11,6 +11,9 @@
 _HEADER_REQUEST_ID = "x-request-id"
 _HEADER_ASID = "xapi_asid"
 _HEADER_ACCESS_MODE = "x-ers-access-mode"
+_HEADER_ACR = "x-ers-acr"
+_HEADER_AMR = "x-ers-amr"
+_HEADER_ID_ASSURANCE_LEVEL = "x-ers-id-assurance-level"
 
 _EXPECTED_REFERRAL_ID = "000000040032"
 _EXPECTED_CORRELATION_ID = "123123-123123-123123-123123"
@@ -19,6 +22,9 @@
 _EXPECTED_COMM_RULE_ORG = "R100"
 _EXPECTED_OBO_USER_ID = "0123456789000"
 _EXPECTED_ACCESS_MODE = "user-restricted"
+_EXPECTED_ACR = "AAL3_ANY"
+_EXPECTED_AMR = "[N3_SMARTCARD]"
+_EXPECTED_ID_ASSURANCE_LEVEL = "3"
 
 _SPECIALTY_REF_DATA_URL = "/FHIR/STU3/CodeSystem/SPECIALTY"
 _SEARCH_HEALTHCARE_SERVICE_R4_URL = "/FHIR/R4/HealthcareService"
@@ -142,6 +148,15 @@ def assert_ok_echo_response(
         assert target_request_headers[_HEADER_USER_ID] == referring_clinician.user_id
         assert target_request_headers[_HEADER_BASE_URL] == service_url
         assert target_request_headers[_HEADER_ACCESS_MODE] == _EXPECTED_ACCESS_MODE
+        assert target_request_headers[_HEADER_ACR] == _EXPECTED_ACR
+        assert target_request_headers[_HEADER_AMR] == _EXPECTED_AMR
+
+        # TODO: Uncomment IAL assert when APIM's CIS2 mock starts returning it
+
+    #         assert (
+    #             target_request_headers[_HEADER_ID_ASSURANCE_LEVEL]
+    #             == _EXPECTED_ID_ASSURANCE_LEVEL
+    #         )
 
     @pytest.mark.asyncio
     async def test_access_mode_header_overwritten_on_echo_target(