change approach with apim_app_flow_vars injection

kevinmason-nhs · kevinmason-nhs · commit 2486970d64d1 · 2025-09-10T11:42:22.000+01:00
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -342,10 +342,8 @@ async def _make_app(product, custom_attributes={}):
 
 @pytest.fixture
 def authenticate_user(client, user_restricted_app, environment, oauth_url):
-    async def _auth(actor: Actor, apim_app_flow_vars=None):
+    async def _auth(actor: Actor):
         print(f"Attempting to authenticate: {actor}")
-        if apim_app_flow_vars is not None:
-            print(f"Using apim_app_flow_vars: {apim_app_flow_vars}")
 
         credentials = user_restricted_app["credentials"][0]
 
diff --git a/tests/integration/test_user_restricted.py b/tests/integration/test_user_restricted.py
@@ -74,45 +74,49 @@ async def test_user_restricted_valid_ods_code(
             response.status_code == 200
         ), "Expected a 200 when accessing the api but got " + str(response.status_code)
 
-#     TODO: Pick up as part of follow-up ODS technical debt work
-#     @pytest.mark.asyncio
-#     @pytest.mark.parametrize(
-#         "endpoint_url, is_fhir_4",
-#         [("", False), ("/FHIR/R4/", True), ("/FHIR/STU3/", False)],
-#     )
-#     async def test_user_restricted_invalid_ods_code(
-#         self,
-#         authenticate_user,
-#         endpoint_url,
-#         referring_clinician,
-#         is_fhir_4,
-#         service_url,
-#         update_user_restricted_product,
-#     ):
-#         access_code = await authenticate_user(referring_clinician, ["invalid_code"])
-#
-#         client_request_headers = {
-#             _HEADER_ECHO: "",  # enable echo target
-#             _HEADER_AUTHORIZATION: "Bearer " + access_code,
-#             _HEADER_REQUEST_ID: "DUMMY-VALUE",
-#             RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
-#             RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
-#             RenamedHeader.BUSINESS_FUNCTION.original: referring_clinician.business_function,
-#             RenamedHeader.ODS_CODE.original: referring_clinician.org_code,
-#             RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
-#             RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
-#             RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
-#         }
-#
-#         # Make the API call
-#
-#         # Make request with user with ODS code not in allow list (e.g. R69)
-#         response = requests.get(
-#             f"{service_url}{endpoint_url}", headers=client_request_headers
-#         )
-#
-#         # Verify the status
-#         # Verify 403 response with appropriate error message
-#         assert (
-#             response.status_code == 403
-#         ), "Expected a 403 when accessing the api but got " + str(response.status_code)
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, apim_app_flow_vars",
+        [
+            ("", False, ["invalid_code"]),
+            ("/FHIR/R4/", True, ["invalid_code"]),
+            ("/FHIR/STU3/", False, ["invalid_code"]),
+        ],
+    )
+    async def test_user_restricted_invalid_ods_code(
+        self,
+        authenticate_user,
+        endpoint_url,
+        referring_clinician,
+        is_fhir_4,
+        service_url,
+        apim_app_flow_vars,
+        update_user_restricted_product,
+    ):
+        access_code = await authenticate_user(referring_clinician)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: referring_clinician.business_function,
+            RenamedHeader.ODS_CODE.original: referring_clinician.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+
+        # Make request with user with ODS code not in allow list (e.g. R69)
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+
+        # Verify the status
+        # Verify 403 response with appropriate error message
+        assert (
+            response.status_code == 403
+        ), "Expected a 403 when accessing the api but got " + str(response.status_code)
