Squashed commit of the following:

commit a50ffff
Author: kevinmason-nhs <[email protected]>
Date:   Thu Sep 11 09:39:13 2025 +0100

    tests passing, added 400 error case

commit 29ea4f7
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 16:28:28 2025 +0100

    convert dict to string

commit f5f1dfa
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 14:34:09 2025 +0100

    fixes list not being a string

commit bc8d928
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 12:53:56 2025 +0100

    define user and pass org code

commit f6bfc54
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 12:23:49 2025 +0100

    fixes broken test

commit 2486970
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 11:36:01 2025 +0100

    change approach with apim_app_flow_vars injection

commit baa0bf9
Author: patrick cando <[email protected]>
Date:   Wed Sep 10 11:24:12 2025 +0100

    Comment out ODS IT invalid tests

commit b12bf0a
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 10:30:58 2025 +0100

    adds logging for apim_app_flow_vars

commit be591ce
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 10:06:44 2025 +0100

    use a valid actor for user restricted testing

commit c33d628
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 09:48:45 2025 +0100

    fixes variable name

commit 7b6861c
Author: kevinmason-nhs <[email protected]>
Date:   Wed Sep 10 09:11:37 2025 +0100

    adds logging

commit a4eeb80
Author: kevinmason-nhs <[email protected]>
Date:   Tue Sep 9 23:21:53 2025 +0100

    fixes proxy and adds success cases

Author: kevinmason-nhs

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeServiceError.xml

@@ -1,4 +1,4 @@
-<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeODSHeaderMissingR4">
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeServiceError">
     <AssignVariable>
         <Name>status_code</Name>
         <Value>500</Value>

proxies/live/apiproxy/targets/ers-target.xml

@@ -150,7 +150,7 @@
             </Step>
             <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 400)</Condition>
         </FaultRule>
-        <FaultRule name="single_asid_app_misconfigured">
+        <FaultRule name="euo_allowlist_internal_error">
             <Step>
                 <Condition>(isFhirR4Path = false)</Condition>
                 <Name>AssignMessage.InternalServerError</Name>
@@ -181,7 +181,7 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
-            <!-- Must be placed after Authentication -->
+            <!-- https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without -->
             <Step>
                 <Name>FlowCallout.ExtendedAttributes</Name>
                 <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>

tests/conftest.py

@@ -2,6 +2,7 @@
 import pytest
 import pytest_asyncio
 import warnings
+import json
 
 from uuid import uuid4
 from typing import Collection, Callable, Generator, Dict
@@ -134,7 +135,7 @@ async def user_restricted_product(client, make_product):
             "urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api",
             "urn:nhsd:apim:user-nhs-id:aal2:e-referrals-service-api",
         ],
-        additional_attributes=[{"name": "EUOAllowlist", "value": "false"}],
+        additional_attributes=[{"name": "EUOAllowlistRequired", "value": "false"}],
     )
 
     print(f"product created: {productName}")
@@ -288,9 +289,10 @@ async def user_restricted_app(
 ):
     # Setup
     if apim_app_flow_vars is not None:
+        odslist = json.dumps({"ers": {"allowListodsCode": apim_app_flow_vars}})
         app = await make_app(
             user_restricted_product,
-            {"asid": asid, "apim-app-flow-vars": apim_app_flow_vars},
+            {"asid": asid, "apim-app-flow-vars": odslist},
         )
     else:
         app = await make_app(user_restricted_product, {"asid": asid})
@@ -316,6 +318,7 @@ async def _make_app(product, custom_attributes={}):
             {"name": key, "value": value} for key, value in custom_attributes.items()
         ]
         attributes.append({"name": "DisplayName", "value": app_name})
+        print(f"App attributes: {attributes}")
 
         body = {
             "apiProducts": [product],
@@ -336,7 +339,7 @@ async def _make_app(product, custom_attributes={}):
 
 @pytest.fixture
 def authenticate_user(client, user_restricted_app, environment, oauth_url):
-    async def _auth(actor: Actor, apim_app_flow_vars=None):
+    async def _auth(actor: Actor):
         print(f"Attempting to authenticate: {actor}")
 
         credentials = user_restricted_app["credentials"][0]

tests/integration/test_user_restricted.py

@@ -29,45 +29,259 @@
 
 @pytest.mark.integration_test
 class TestUserRestricted:
+
     @pytest.mark.asyncio
     @pytest.mark.parametrize(
-        "endpoint_url, is_fhir_4",
-        [("", False), ("/FHIR/R4/", True), ("/FHIR/STU3/", False)],
+        "endpoint_url, is_fhir_4, user, apim_app_flow_vars ",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
     )
-    async def test_user_restricted_invalid_ods_code(
+    async def test_user_restricted_valid_ods_code(
         self,
         authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
         endpoint_url,
         is_fhir_4,
-        service_url,
-        update_user_restricted_product,
+        apim_app_flow_vars,
     ):
-        access_code = await authenticate_user(
-            referring_clinician_insufficient_ial, ["invalid_code"]
-        )
+        access_code = await authenticate_user(user)
 
         client_request_headers = {
             _HEADER_ECHO: "",  # enable echo target
             _HEADER_AUTHORIZATION: "Bearer " + access_code,
             _HEADER_REQUEST_ID: "DUMMY-VALUE",
             RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
             RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
-            RenamedHeader.BUSINESS_FUNCTION.original: referring_clinician_insufficient_ial.business_function,
-            RenamedHeader.ODS_CODE.original: referring_clinician_insufficient_ial.org_code,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: user.org_code,
             RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
             RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
             RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
         }
 
         # Make the API call
-
-        # Make request with user with ODS code not in allow list (e.g. R69)
         response = requests.get(
             f"{service_url}{endpoint_url}", headers=client_request_headers
         )
 
         # Verify the status
-        # Verify 403 response with appropriate error message
+        assert (
+            response.status_code == 200
+        ), "Expected a 200 when accessing the api but got " + str(response.status_code)
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, ["invalid_code"]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, ["invalid_code"]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, ["invalid_code"]),
+        ],
+    )
+    async def test_user_restricted_invalid_ods_code(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: user.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
         assert (
             response.status_code == 403
         ), "Expected a 403 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "security" if is_fhir_4 else "forbidden"
+        assert issue["diagnostics"] == (
+            "Unauthorised ODS code provided in NHSD-End-User-Organisation-ODS header"
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "ACCESS_DENIED"
+        )
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
+    )
+    async def test_user_restricted_missing_ods_header(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
+        assert (
+            response.status_code == 400
+        ), "Expected a 400 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "invalid" if is_fhir_4 else "invalid"
+        assert issue["diagnostics"] == (
+            "Missing or Empty NHSD-End-User-Organisation-ODS header."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "MISSING_HEADER" if is_fhir_4 else "MISSING_HEADER"
+        )
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
+    )
+    async def test_user_restricted_missing_ods_code(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: "",
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
+        assert (
+            response.status_code == 400
+        ), "Expected a 400 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "invalid" if is_fhir_4 else "invalid"
+        assert issue["diagnostics"] == (
+            "Missing or Empty NHSD-End-User-Organisation-ODS header."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "MISSING_HEADER" if is_fhir_4 else "MISSING_HEADER"
+        )