[ERSSUP-68202]-[JW]-[Return 403 - Forbidden for missing ASID in application]-[DMW]

nhsd-david-wass · nhsd-david-wass · commit 5d75bb74f499 · 2025-04-01T08:48:38.000Z
diff --git a/proxies/live/apiproxy/policies/AssignMessage.OperationOutcomeErrorResponse.xml b/proxies/live/apiproxy/policies/AssignMessage.OperationOutcomeErrorResponse.xml
@@ -1,6 +1,6 @@
-<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.AuthenticationOperationOutcomeErrorResponse">
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.OperationOutcomeErrorResponse">
     <Set>
-        <StatusCode>401</StatusCode>
+        <StatusCode>{status_code}</StatusCode>
         <ReasonPhrase>Unauthorized</ReasonPhrase>
         <Payload contentType="application/fhir+json" variablePrefix="%" variableSuffix="#">{ "resourceType": "OperationOutcome", "meta": { "lastUpdated": "%current_timestamp#", "profile" : [ "%op_outcome_fhir_profile#" ] }, "issue": [ { "severity": "error", "code": "%op_outcome_issue_code#", "details": { "coding": [ { "system": "%op_outcome_issue_details_coding_system#", "code": "%op_outcome_issue_details_coding_code#" } ] }, "diagnostics": "%faultstring#" } ] }</Payload>
     </Set>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueCodeLogin.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueCodeLogin.xml
@@ -1,4 +1,8 @@
 <AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueCodeLogin">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>401</Value>
+    </AssignVariable>
     <AssignVariable>
         <Name>op_outcome_issue_code</Name>
         <Value>login</Value>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueIal.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueIal.xml
@@ -1,4 +1,8 @@
 <AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueIal">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>401</Value>
+    </AssignVariable>
     <AssignVariable>
         <Name>op_outcome_issue_code</Name>
         <Value>forbidden</Value>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeMissingAsid.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeMissingAsid.xml
@@ -0,0 +1,14 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeMissingAsid">
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>ASID is not configured in the application</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>403</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/RaiseFault.MissingAsid.xml b/proxies/live/apiproxy/policies/RaiseFault.MissingAsid.xml
@@ -0,0 +1,10 @@
+<RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.MissingAsid">
+    <FaultResponse>
+        <Set>
+            <Payload contentType="text/plain"/>
+            <StatusCode>403</StatusCode>
+            <ReasonPhrase>Forbidden</ReasonPhrase>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>
diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
@@ -15,7 +15,7 @@
                 <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = true)</Condition>
         </FaultRule>
@@ -43,7 +43,7 @@
                 <Condition>aalError != true</Condition>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
                 <Condition>aalError = true</Condition>
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = false)</Condition>
@@ -85,10 +85,27 @@
                 <Name>AssignMessage.SetOperationOutcomeIssueIal</Name>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
             </Step>
             <Condition>(raisefault.RaiseFault.401InsufficientIal.failed = true)</Condition>
         </FaultRule>
+        <FaultRule name="missing_asid">
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeMissingAsid</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.MissingAsid.failed = true)</Condition>
+        </FaultRule>
     </FaultRules>
     <PreFlow>
         <Request>
@@ -101,6 +118,10 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
+            <Step>
+                <Name>RaiseFault.MissingAsid</Name>
+                <Condition>(app.asid == null) Or (app.asid == "")</Condition>
+            </Step>
             <Step>
                 <Name>AssignMessage.PopulateAsidFromApp</Name>
             </Step>
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -167,6 +167,77 @@ def _update_function(append_scopes: Collection[str]):
     return _update_function
 
 
+@pytest.fixture
+def delete_user_restricted_app_attr(
+    user_restricted_app, client: ApigeeClient
+) -> Callable[[Collection[str]], Generator[Dict[str, str], None, None]]:
+    @contextmanager
+    def _update_function(attr):
+        app_api = DeveloperAppsAPI(client=client)
+        app = app_api.get_app_by_name(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=user_restricted_app["name"],
+        )
+
+        warnings.warn(f"Existing app = {app}")
+
+        existing_attributes = app_api.get_app_attributes(
+            email="apm-testing-internal-dev@nhs.net", app_name=app["name"]
+        )
+
+        yield app_api.delete_app_attribute_by_name(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=app["name"],
+            attribute_name=attr,
+        )
+
+        # reset the product once the context manager has been closed.
+
+        app_api.post_app_attributes(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=app["name"],
+            body=existing_attributes,
+        )
+
+    return _update_function
+
+
+@pytest.fixture
+def update_user_restricted_app_attr(
+    user_restricted_app, client: ApigeeClient
+) -> Callable[[Collection[str]], Generator[Dict[str, str], None, None]]:
+    @contextmanager
+    def _update_function(attr, value):
+        app_api = DeveloperAppsAPI(client=client)
+        app = app_api.get_app_by_name(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=user_restricted_app["name"],
+        )
+
+        warnings.warn(f"Existing app = {app}")
+
+        existing_attributes = app_api.get_app_attributes(
+            email="apm-testing-internal-dev@nhs.net", app_name=app["name"]
+        )
+
+        yield app_api.post_app_attribute_by_name(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=app["name"],
+            attribute_name=attr,
+            body={"value": value},
+        )
+
+        # reset the product once the context manager has been closed.
+
+        app_api.post_app_attributes(
+            email="apm-testing-internal-dev@nhs.net",
+            app_name=app["name"],
+            body=existing_attributes,
+        )
+
+    return _update_function
+
+
 @pytest.fixture
 def make_product(client, environment, service_name):
     async def _make_product(product_scopes):
diff --git a/tests/integration/test_headers.py b/tests/integration/test_headers.py
@@ -517,3 +517,147 @@ async def test_access_code_not_supported(
 
         for renamed_header in RenamedHeader:
             assert renamed_header.renamed not in client_response_headers
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "user, endpoint_url, is_fhir_4",
+        [
+            (Actor.RC, "/FHIR/R4/", True),
+            (Actor.AAL2_USER, "/FHIR/R4/", True),
+            (Actor.RC, "/FHIR/STU3/", False),
+            (Actor.AAL2_USER, "/FHIR/STU3/", False),
+        ],
+    )
+    async def test_headers_on_echo_target_no_asid(
+        self,
+        authenticate_user,
+        endpoint_url,
+        is_fhir_4,
+        service_url,
+        delete_user_restricted_app_attr,
+        user: Actor,
+    ):
+        with delete_user_restricted_app_attr("asid"):
+
+            access_code = await authenticate_user(user)
+
+            client_request_headers = {
+                _HEADER_ECHO: "",  # enable echo target
+                _HEADER_AUTHORIZATION: "Bearer " + access_code,
+                _HEADER_REQUEST_ID: "DUMMY-VALUE",
+                RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+                RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+                RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+                RenamedHeader.ODS_CODE.original: user.org_code,
+                RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+                RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+                RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+            }
+
+            # Make the API call
+            response = requests.get(
+                f"{service_url}{endpoint_url}", headers=client_request_headers
+            )
+            # Verify the status
+            assert (
+                response.status_code == 403
+            ), "Expected a 403 when accessing the api but got " + str(
+                response.status_code
+            )
+
+            response_data = response.json()
+            assert response_data["resourceType"] == "OperationOutcome"
+            assert response_data["meta"]["lastUpdated"] is not None
+            assert response_data["meta"]["profile"][0] == (
+                "https://www.hl7.org/fhir/R4/operationoutcome.html"
+                if is_fhir_4
+                else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+            )
+            assert len(response_data["issue"]) == 1
+            issue = response_data["issue"][0]
+            assert issue["severity"] == "error"
+            assert issue["code"] == "forbidden"
+            assert issue["diagnostics"] == "ASID is not configured in the application"
+            assert len(issue["details"]["coding"]) == 1
+            issue_details = issue["details"]["coding"][0]
+            assert (
+                issue_details["system"]
+                == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+                if is_fhir_4
+                else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+            )
+            assert (
+                issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "NO_ACCESS"
+            )
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "user, endpoint_url, is_fhir_4",
+        [
+            (Actor.RC, "/FHIR/R4/", True),
+            (Actor.AAL2_USER, "/FHIR/R4/", True),
+            (Actor.RC, "/FHIR/STU3/", False),
+            (Actor.AAL2_USER, "/FHIR/STU3/", False),
+        ],
+    )
+    async def test_headers_on_echo_target_empty_asid(
+        self,
+        authenticate_user,
+        endpoint_url,
+        is_fhir_4,
+        service_url,
+        update_user_restricted_app_attr,
+        user: Actor,
+    ):
+        with update_user_restricted_app_attr("asid", ""):
+
+            access_code = await authenticate_user(user)
+
+            client_request_headers = {
+                _HEADER_ECHO: "",  # enable echo target
+                _HEADER_AUTHORIZATION: "Bearer " + access_code,
+                _HEADER_REQUEST_ID: "DUMMY-VALUE",
+                RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+                RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+                RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+                RenamedHeader.ODS_CODE.original: user.org_code,
+                RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+                RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+                RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+            }
+
+            # Make the API call
+            response = requests.get(
+                f"{service_url}{endpoint_url}", headers=client_request_headers
+            )
+            # Verify the status
+            assert (
+                response.status_code == 403
+            ), "Expected a 403 when accessing the api but got " + str(
+                response.status_code
+            )
+
+            response_data = response.json()
+            assert response_data["resourceType"] == "OperationOutcome"
+            assert response_data["meta"]["lastUpdated"] is not None
+            assert response_data["meta"]["profile"][0] == (
+                "https://www.hl7.org/fhir/R4/operationoutcome.html"
+                if is_fhir_4
+                else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+            )
+            assert len(response_data["issue"]) == 1
+            issue = response_data["issue"][0]
+            assert issue["severity"] == "error"
+            assert issue["code"] == "forbidden"
+            assert issue["diagnostics"] == "ASID is not configured in the application"
+            assert len(issue["details"]["coding"]) == 1
+            issue_details = issue["details"]["coding"][0]
+            assert (
+                issue_details["system"]
+                == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+                if is_fhir_4
+                else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+            )
+            assert (
+                issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "NO_ACCESS"
+            )
