[ERSSUP-89806]-[]-[Added body to invalid business function response]-[JW]

nhsd-jack-wainwright · nhsd-jack-wainwright · commit 51230fe0a309 · 2025-09-03T14:41:18.000+01:00
diff --git a/proxies/live/apiproxy/policies/RaiseFault.InvalidBusinessFunction.xml b/proxies/live/apiproxy/policies/RaiseFault.InvalidBusinessFunction.xml
@@ -0,0 +1,10 @@
+<RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.InvalidBusinessFunction">
+    <FaultResponse>
+        <Set>
+            <Payload contentType="text/plain"/>
+            <StatusCode>403</StatusCode>
+            <ReasonPhrase>Forbidden</ReasonPhrase>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>
diff --git a/proxies/live/apiproxy/targets/AssignMessage.SetOperationOutcomeInvalidBusinessFunction.xml b/proxies/live/apiproxy/targets/AssignMessage.SetOperationOutcomeInvalidBusinessFunction.xml
@@ -0,0 +1,14 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeInvalidBusinessFunction">
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>User does not have the required Business Function and the specified Organisation.</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>403</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
@@ -106,6 +106,23 @@
             </Step>
             <Condition>(raisefault.RaiseFault.MissingAsid.failed = true)</Condition>
         </FaultRule>
+        <FaultRule>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.setOperationOutcomeVariables</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.setOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeInvalidBusinessFunction</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
+        </FaultRule>
     </FaultRules>
     <PreFlow>
         <Request>
@@ -155,7 +172,7 @@
         <Flow name="user-restricted-flow">
             <Condition>(accesstoken.auth_type == "user")</Condition>
             <Request><!--AUTHORISED_APPLICATION business functions are not supported in user restricted flow --><Step>
-                    <Name>RaiseFault.403Forbidden</Name>
+                    <Name>RaiseFault.InvalidBusinessFunction</Name>
                     <Condition>(request.header.nhsd-ers-business-function == "PROVIDER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "REFERRER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
                 </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
diff --git a/tests/integration/test_app_restricted.py b/tests/integration/test_app_restricted.py
@@ -51,8 +51,6 @@ async def test_authorised_application_not_supported_for_user_restricted(
             + response.status_code
         )
 
-        assert response.text == ""
-
         assert (
             response.headers[RenamedHeader.CORRELATION_ID.original]
             == _EXPECTED_CORRELATION_ID
@@ -61,6 +59,30 @@ async def test_authorised_application_not_supported_for_user_restricted(
         for renamed_header in RenamedHeader:
             assert renamed_header.renamed not in response.headers
 
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert (
+            response_data["meta"]["profile"][0]
+            == "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "forbidden"
+        assert issue["diagnostics"] == (
+            "User does not have the required Business Function and the specified Organisation."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert issue_details["code"] == "NO_ACCESS"
+
     def test_authorised_application_supported_for_app_restricted(
         self, app_restricted_access_code, service_url
     ):
diff --git a/tests/integration/test_headers.py b/tests/integration/test_headers.py
@@ -75,15 +75,21 @@ async def test_headers_on_echo_target(
 
     @pytest.mark.asyncio
     @pytest.mark.parametrize(
-        "business_function",
+        "business_function,endpoint_url,is_r4",
         [
-            "PROVIDER_AUTHORISED_APPLICATION",
-            "REFERRER_AUTHORISED_APPLICATION",
-            "AUTHORISED_APPLICATION",
+            ("PROVIDER_AUTHORISED_APPLICATION", "", False),
+            ("REFERRER_AUTHORISED_APPLICATION", "", False),
+            ("AUTHORISED_APPLICATION", "", False),
+            ("PROVIDER_AUTHORISED_APPLICATION", "/FHIR/STU3/", False),
+            ("REFERRER_AUTHORISED_APPLICATION", "/FHIR/STU3/", False),
+            ("AUTHORISED_APPLICATION", "/FHIR/STU3/", False),
+            ("PROVIDER_AUTHORISED_APPLICATION", "/FHIR/R4/", True),
+            ("REFERRER_AUTHORISED_APPLICATION", "/FHIR/R4/", True),
+            ("AUTHORISED_APPLICATION", "/FHIR/R4/", True),
         ],
     )
     async def test_headers_on_echo_target_with_app_restricted_business_function(
-        self, business_function, authenticate_user, service_url
+        self, business_function, endpoint_url, is_r4, authenticate_user, service_url
     ):
         user = Actor.RC
         access_code = await authenticate_user(user)
@@ -101,7 +107,9 @@ async def test_headers_on_echo_target_with_app_restricted_business_function(
         }
 
         # Make the API call
-        response = requests.get(service_url, headers=client_request_headers)
+        response = requests.get(
+            service_url + endpoint_url, headers=client_request_headers
+        )
 
         assert response.status_code == 403, (
             "Expected a 403 response when attempting to call the endpoint, but instead received a "
@@ -114,6 +122,33 @@ async def test_headers_on_echo_target_with_app_restricted_business_function(
             + response_body
         )
 
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_r4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "forbidden"
+        assert issue["diagnostics"] == (
+            "User does not have the required Business Function and the specified Organisation."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_r4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert issue_details["code"] == "ACCESS_DENIED" if is_r4 else "NO_ACCESS"
+
     @pytest.mark.asyncio
     @pytest.mark.parametrize(
         "endpoint_url,is_r4",
