Merge pull request #1821 from NHSDigital/develop

APIM-R 1.38 Cut

Author: nhsd-david-wass

manifest_template.yml

@@ -79,7 +79,7 @@ ACCESS_MODES:
   - name: healthcare-worker
     nameSuffix: -healthcare-worker
     displayName: Healthcare Worker
-    scopes: ['urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api']
+    scopes: ['urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api', 'urn:nhsd:apim:user-nhs-id:aal2:e-referrals-service-api']
     requireCallbackUrl: true
     description: User restricted
 

package-lock.json

@@ -12,10 +12,10 @@
   "license": "MIT",
   "homepage": "https://github.com/NHSDigital/e-referrals-service-api",
   "dependencies": {
-    "@redocly/cli": "^1.23.1"
+    "@redocly/cli": "^1.25.5"
   },
   "devDependencies": {
-    "apigeetool": "^0.16.4",
+    "apigeetool": "^0.16.5",
     "license-checker": "^25.0.1",
     "minimist": "^1.2.8"
   }

package.json

@@ -1,6 +1,7 @@
 <AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.AuthenticationOperationOutcomeErrorResponse">
     <Set>
         <StatusCode>401</StatusCode>
+        <ReasonPhrase>Unauthorized</ReasonPhrase>
         <Payload contentType="application/fhir+json" variablePrefix="%" variableSuffix="#">{ "resourceType": "OperationOutcome", "meta": { "lastUpdated": "%current_timestamp#", "profile" : [ "%op_outcome_fhir_profile#" ] }, "issue": [ { "severity": "error", "code": "%op_outcome_issue_code#", "details": { "coding": [ { "system": "%op_outcome_issue_details_coding_system#", "code": "%op_outcome_issue_details_coding_code#" } ] }, "diagnostics": "%faultstring#" } ] }</Payload>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

poetry.lock

@@ -1,7 +1,7 @@
-<AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-acr-header">
+<AssignMessage continueOnError="true" name="AssignMessage.Set.x-ers-authentication-assurance-level-header">
     <Set>
         <Headers>
-            <Header name="x-ers-acr">{accesstoken.id_token-acr}</Header>
+            <Header name="x-ers-authentication-assurance-level">{accesstoken.id_token-authentication_assurance_level}</Header>
         </Headers>
     </Set>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

proxies/live/apiproxy/policies/AssignMessage.AuthenticationOperationOutcomeErrorResponse.xml

@@ -0,0 +1,10 @@
+<AssignMessage enabled="true" name="AssignMessage.SetInsufficientAALVariables">
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>The authentication method utilised is not currently supported. Contact your local Registration Authority or IT department for help.</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>aalError</Name>
+        <Value>true</Value>
+    </AssignVariable>
+</AssignMessage>

…s/AssignMessage.Set.x-ers-acr-header.xml …uthentication-assurance-level-header.xmlproxies/live/apiproxy/policies/AssignMessage.Set.x-ers-acr-header.xml renamed to proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-authentication-assurance-level-header.xml proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-acr-header.xml renamed to proxies/live/apiproxy/policies/AssignMessage.Set.x-ers-authentication-assurance-level-header.xml

@@ -1,4 +1,4 @@
 <OAuthV2 async="false" continueOnError="false" enabled="true" name="OauthV2.VerifyAccessToken">
-  <Operation>VerifyAccessToken</Operation>
-  <Scope>urn:nhsd:apim:app:level3:e-referrals-service-api urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api</Scope>
+    <Operation>VerifyAccessToken</Operation>
+    <Scope>urn:nhsd:apim:app:level3:e-referrals-service-api urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api urn:nhsd:apim:user-nhs-id:aal2:e-referrals-service-api</Scope>
 </OAuthV2>

proxies/live/apiproxy/policies/AssignMessage.SetInsufficientAALVariables.xml

@@ -1,12 +1,16 @@
 <TargetEndpoint name="e-referrals-service-api-target">
     <FaultRules>
-        <FaultRule name="access_token_expired_fhir_r4">
+        <FaultRule name="access_token_error_fhir_r4">
             <Step>
                 <Name>ExtractVariables.OAuthErrorFaultString</Name>
             </Step>
             <Step>
                 <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
             </Step>
+            <Step>
+                <Name>AssignMessage.SetInsufficientAALVariables</Name>
+                <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
+            </Step>
             <Step>
                 <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
             </Step>
@@ -15,12 +19,32 @@
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = true)</Condition>
         </FaultRule>
-        <FaultRule name="access_token_expired">
+        <FaultRule name="access_token_error">
             <Step>
                 <Name>ExtractVariables.OAuthErrorFaultString</Name>
             </Step>
+            <Step>
+                <Name>AssignMessage.SetInsufficientAALVariables</Name>
+                <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <Condition>aalError == true</Condition>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
+                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <Condition>aalError == true</Condition>
+            </Step>
             <Step>
                 <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
+                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <Condition>aalError != true</Condition>
+            </Step>
+            <Step>
+                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Condition>aalError = true</Condition>
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = false)</Condition>
         </FaultRule>
@@ -137,7 +161,7 @@
                 </Step> <Step>
                     <Name>AssignMessage.Remove.x-request-id-header</Name>
                 </Step><Step>
-                    <Name>AssignMessage.Set.x-ers-acr-header</Name>
+                    <Name>AssignMessage.Set.x-ers-authentication-assurance-level-header</Name>
                 </Step><Step>
                     <Name>AssignMessage.Set.x-ers-amr-header</Name>
                 </Step><Step>

proxies/live/apiproxy/policies/OAuthV2.VerifyAccessToken.xml

@@ -30,15 +30,15 @@ lxml = "^4.9.4"
 xmlformatter = "^0.2.6"
 pytest-check = "^2.4.1"
 requests = "^2.32.3"
-openapi-core = "^0.19.3"
+openapi-core = "^0.19.4"
 
 
 [tool.poetry.dev-dependencies]
 flake8 = "^5.0.4"
 black = "^24.8"
 pip-licenses = "^4.5.1"
 jinja2 = "^3.1.4"
-pytest = "^8.3.2"
+pytest = "^8.3.3"
 pytest-asyncio = "^0.24.0"
 pytest-nhsd-apim = "^3.4.3"