updates to use new APIM shared flow

kevinmason-nhs · kevinmason-nhs · commit 338e66d917de · 2025-08-07T17:45:49.000+01:00
diff --git a/macros/manifest_macros.yml b/macros/manifest_macros.yml
@@ -3,12 +3,14 @@
     products:
 {% endmacro %}
 
-{%- macro product(ENV, MODE, TITLE, product_name, display_name) -%}
+{%- macro product(ENV, MODE, TITLE, product_name, display_name, euo_allowlist_required) -%}
       - name: e-referrals-service-api-{{ product_name }}{{ MODE.nameSuffix }}
         approvalType: {{ ENV.approval_type | default('auto') }}
         attributes:
           - name: access
             value: public
+          - name: EUOAllowlistRequired
+            value: {{ euo_allowlist_required }}
           - name: ratelimiting
             value:
               e-referrals-service-api-{{ product_name }}:
diff --git a/manifest_template.yml b/manifest_template.yml
@@ -16,25 +16,34 @@ APIGEE_ENVIRONMENTS:
   variants:
   - name: alpha-internal-dev
     display_name: Internal Development - alpha
+    euo_allowlist_required: true
   - name: rc-internal-dev
     display_name: Internal Development - rc
+    euo_allowlist_required: true
   - name: fix-internal-dev
     display_name: Internal Development - fix
+    euo_allowlist_required: true
   - name: fti-internal-dev
     display_name: Internal Development - ft01
+    euo_allowlist_required: true
   - name: ftiv-internal-dev
     display_name: Internal Development - ft04
+    euo_allowlist_required: true
   - name: ftv-internal-dev
     display_name: Internal Development - ft05
+    euo_allowlist_required: true
   - name: ftix-internal-dev
     display_name: Internal Development - ft09
+    euo_allowlist_required: true
   - name: ftxxii-internal-dev
     display_name: Internal Development - ft22
+    euo_allowlist_required: true
 
 - name: internal-dev-sandbox
   variants:
     - name: internal-dev-sandbox
       display_name: Internal Development Sandbox
+      euo_allowlist_required: true
 
 - name: int
   additional_proxies:
@@ -43,6 +52,7 @@ APIGEE_ENVIRONMENTS:
   variants:
     - name: int
       display_name: Integration Testing
+      euo_allowlist_required: true
 
 - name: internal-qa
   additional_proxies:
@@ -51,29 +61,34 @@ APIGEE_ENVIRONMENTS:
   variants:
     - name: internal-qa
       display_name: Internal QA
+      euo_allowlist_required: true
 
 - name: internal-qa-sandbox
   variants:
     - name: internal-qa-sandbox
       display_name: Internal QA Sandbox
+      euo_allowlist_required: true
 
 - name: sandbox
   variants:
     - name: sandbox
       display_name: Sandbox
+      euo_allowlist_required: true
 
 - name: dev
   additional_proxies:
     - identity-service-dep-dev
   variants:
   - name: dep-dev
     display_name: Dev - dep
+    euo_allowlist_required: true
 
 - name: prod
   approval_type: manual
   variants:
     - name: prod
       display_name: Production
+      euo_allowlist_required: false
 
 ACCESS_MODES:
   - name: healthcare-worker
@@ -106,7 +121,7 @@ apigee:
 
 {%    for VARIANT in ENV.variants %}
 {%      for MODE in ACCESS_MODES %}
-      {{ macros.product(ENV, MODE, TITLE, VARIANT.name, VARIANT.display_name) }}
+      {{ macros.product(ENV, MODE, TITLE, VARIANT.name, VARIANT.display_name, VARIANT.euo_allowlist_required) }}
 {%      endfor %}
 {%    endfor %}
 
diff --git a/proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistRequired.xml b/proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistRequired.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<FlowCallout async="false" continueOnError="false" enabled="true" name="FlowCallout.EUOAllowlistRequired">
+    <DisplayName>EUOAllowlistRequired</DisplayName>
+    <SharedFlowBundle>EUOAllowlistRequired</SharedFlowBundle>
+</FlowCallout>
diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
@@ -118,6 +118,19 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
+            <!-- Must be placed after Authentication -->
+            <Step>
+                <Name>FlowCallout.EUOAllowlistRequired</Name>
+                <Condition>(accesstoken.auth_type == "user")</Condition>
+            </Step>
+            <Step>
+                <Name>FlowCallout.ExtendedAttributes</Name>
+                <Condition>(flow.shouldInvokeEUOAllowlist = true)</Condition>
+            </Step>
+            <Step>
+                <Name>FlowCallout.EUOAllowlistVerify</Name>
+                <Condition>(flow.shouldInvokeEUOAllowlist = true)</Condition>
+            </Step>
             <Step>
                 <Name>RaiseFault.MissingAsid</Name>
                 <Condition>(app.asid == null) Or (app.asid == "")</Condition>
@@ -157,10 +170,6 @@
             <Response/>
             <Request><Step>
                     <Name>FlowCallout.ExtendedAttributes</Name>
-                </Step> <Step>
-                    <Name>FlowCallout.EUOAllowlistVerify</Name>
-                    <!--                    Change this to be inline using the app attribute -->
-                    <Condition>(verifyapikey.Verify‑API‑Key.app.EUOAllowlistEnabled == true)</Condition>
                 </Step> <!--AUTHORISED_APPLICATION business function is not supported in user restricted flow --><Step>
                     <Name>RaiseFault.403Forbidden</Name>
                     <Condition>(request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
