Merge pull request #1516 from NHSDigital/feature/ERSSUP-75192

ERSSUP-75192 - RM65b: Apigee validates Professional user's Identity Assurance Level (IAL) before allowing access to e-RS

Author: paul-forrester-bjss

.editorconfig

@@ -11,7 +11,7 @@ end_of_line = lf
 [Makefile]
 indent_style = tab
 
-[*.{xml,js,json,yaml}]
+[*.{js,json,yaml}]
 indent_size = 2
 
 [*.postman_collection.json]

…hPolicyOperationOutcomeErrorResponse.xml …icationOperationOutcomeErrorResponse.xmlproxies/live/apiproxy/policies/AssignMessage.OAuthPolicyOperationOutcomeErrorResponse.xml renamed to proxies/live/apiproxy/policies/AssignMessage.AuthenticationOperationOutcomeErrorResponse.xml proxies/live/apiproxy/policies/AssignMessage.OAuthPolicyOperationOutcomeErrorResponse.xml renamed to proxies/live/apiproxy/policies/AssignMessage.AuthenticationOperationOutcomeErrorResponse.xml

@@ -1,7 +1,7 @@
-<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.OAuthPolicyOperationOutcomeErrorResponse">
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.AuthenticationOperationOutcomeErrorResponse">
     <Set>
         <StatusCode>401</StatusCode>
-        <Payload contentType="application/fhir+json" variablePrefix="%" variableSuffix="#">{ "resourceType": "OperationOutcome", "meta": { "lastUpdated": "%current_timestamp#", "profile" : [ "https://www.hl7.org/fhir/R4/operationoutcome.html" ] }, "issue": [ { "severity": "error", "code": "login", "details": { "coding": [ { "system": "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode", "code": "ACCESS_DENIED" } ] }, "diagnostics": "%faultstring#" } ] }</Payload>
+        <Payload contentType="application/fhir+json" variablePrefix="%" variableSuffix="#">{ "resourceType": "OperationOutcome", "meta": { "lastUpdated": "%current_timestamp#", "profile" : [ "%op_outcome_fhir_profile#" ] }, "issue": [ { "severity": "error", "code": "%op_outcome_issue_code#", "details": { "coding": [ { "system": "%op_outcome_issue_details_coding_system#", "code": "%op_outcome_issue_details_coding_code#" } ] }, "diagnostics": "%faultstring#" } ] }</Payload>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
     <AssignTo createNew="false" transport="http" type="response"/>

proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-acr-header.xml

@@ -1,7 +1,7 @@
 <AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-acr-header">
     <Set>
         <Headers>
-            <Header name="x-ers-acr">{jwt.DecodeJWT-id-token.decoded.claim.acr}</Header>
+            <Header name="x-ers-acr">{accesstoken.id_token-acr}</Header>
         </Headers>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-id-assurance-level-header.xml

@@ -1,7 +1,7 @@
 <AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-id-assurance-level-header">
     <Set>
         <Headers>
-            <Header name="x-ers-id-assurance-level">{jwt.DecodeJWT-id-token.decoded.claim.id_assurance_level}</Header>
+            <Header name="x-ers-id-assurance-level">{accesstoken.id_token-id-assurance-level}</Header>
         </Headers>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueCodeLogin.xml

@@ -0,0 +1,6 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueCodeLogin">
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>login</Value>
+    </AssignVariable>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueIal.xml

@@ -0,0 +1,10 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueIal">
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>We couldn't verify your identity. Contact your local Registration Authority or IT department for help.</Value>
+    </AssignVariable>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeVariablesPreR4.xml

@@ -0,0 +1,14 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeVariablesPreR4">
+    <AssignVariable>
+        <Name>op_outcome_fhir_profile</Name>
+        <Value>https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_system</Name>
+        <Value>https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>NO_ACCESS</Value>
+    </AssignVariable>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeVariablesR4.xml

@@ -0,0 +1,14 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeVariablesR4">
+    <AssignVariable>
+        <Name>op_outcome_fhir_profile</Name>
+        <Value>https://www.hl7.org/fhir/R4/operationoutcome.html</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_system</Name>
+        <Value>https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>ACCESS_DENIED</Value>
+    </AssignVariable>
+</AssignMessage>

proxies/live/apiproxy/policies/DecodeJWT-id-token.xml

@@ -0,0 +1,9 @@
+<RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.401InsufficientIal">
+    <FaultResponse>
+        <Set>
+            <StatusCode>401</StatusCode>
+            <ReasonPhrase>Unauthorized</ReasonPhrase>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>