Merge pull request #2195 from NHSDigital/feature/ERSSUP-83710

Feature/erssup 83710

Author: nhsd-david-wass

…icationOperationOutcomeErrorResponse.xml …essage.OperationOutcomeErrorResponse.xmlproxies/live/apiproxy/policies/AssignMessage.AuthenticationOperationOutcomeErrorResponse.xml renamed to proxies/live/apiproxy/policies/AssignMessage.OperationOutcomeErrorResponse.xml proxies/live/apiproxy/policies/AssignMessage.AuthenticationOperationOutcomeErrorResponse.xml renamed to proxies/live/apiproxy/policies/AssignMessage.OperationOutcomeErrorResponse.xml

@@ -1,6 +1,6 @@
-<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.AuthenticationOperationOutcomeErrorResponse">
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.OperationOutcomeErrorResponse">
     <Set>
-        <StatusCode>401</StatusCode>
+        <StatusCode>{status_code}</StatusCode>
         <ReasonPhrase>Unauthorized</ReasonPhrase>
         <Payload contentType="application/fhir+json" variablePrefix="%" variableSuffix="#">{ "resourceType": "OperationOutcome", "meta": { "lastUpdated": "%current_timestamp#", "profile" : [ "%op_outcome_fhir_profile#" ] }, "issue": [ { "severity": "error", "code": "%op_outcome_issue_code#", "details": { "coding": [ { "system": "%op_outcome_issue_details_coding_system#", "code": "%op_outcome_issue_details_coding_code#" } ] }, "diagnostics": "%faultstring#" } ] }</Payload>
     </Set>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueCodeLogin.xml

@@ -1,4 +1,8 @@
 <AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueCodeLogin">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>401</Value>
+    </AssignVariable>
     <AssignVariable>
         <Name>op_outcome_issue_code</Name>
         <Value>login</Value>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeIssueIal.xml

@@ -1,4 +1,8 @@
 <AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeIssueIal">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>401</Value>
+    </AssignVariable>
     <AssignVariable>
         <Name>op_outcome_issue_code</Name>
         <Value>forbidden</Value>

proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeMissingAsid.xml

@@ -0,0 +1,14 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeMissingAsid">
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>ASID is not configured in the application</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>403</Value>
+    </AssignVariable>
+</AssignMessage>

proxies/live/apiproxy/policies/RaiseFault.MissingAsid.xml

@@ -0,0 +1,10 @@
+<RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.MissingAsid">
+    <FaultResponse>
+        <Set>
+            <Payload contentType="text/plain"/>
+            <StatusCode>403</StatusCode>
+            <ReasonPhrase>Forbidden</ReasonPhrase>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>

proxies/live/apiproxy/targets/ers-target.xml

@@ -15,7 +15,7 @@
                 <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = true)</Condition>
         </FaultRule>
@@ -43,7 +43,7 @@
                 <Condition>aalError != true</Condition>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
                 <Condition>aalError = true</Condition>
             </Step>
             <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = false)</Condition>
@@ -85,10 +85,27 @@
                 <Name>AssignMessage.SetOperationOutcomeIssueIal</Name>
             </Step>
             <Step>
-                <Name>AssignMessage.AuthenticationOperationOutcomeErrorResponse</Name>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
             </Step>
             <Condition>(raisefault.RaiseFault.401InsufficientIal.failed = true)</Condition>
         </FaultRule>
+        <FaultRule name="missing_asid">
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeMissingAsid</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.MissingAsid.failed = true)</Condition>
+        </FaultRule>
     </FaultRules>
     <PreFlow>
         <Request>
@@ -101,6 +118,10 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
+            <Step>
+                <Name>RaiseFault.MissingAsid</Name>
+                <Condition>(app.asid == null) Or (app.asid == "")</Condition>
+            </Step>
             <Step>
                 <Name>AssignMessage.PopulateAsidFromApp</Name>
             </Step>

sandbox/src/mocks/stu3/STU3-Unauthorised.json

@@ -0,0 +1,23 @@
+{
+  "meta": {
+    "profile": [
+      "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+    ]
+  },
+  "resourceType": "OperationOutcome",
+  "issue": [
+    {
+      "severity": "error",
+      "code": "login",
+      "details": {
+        "coding": [
+          {
+            "system": "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1",
+            "code": "NO_ACCESS"
+          }
+        ]
+      },
+      "diagnostics": "Example diagnostics message."
+    }
+  ]
+}

specification/components/r4/schemas/responses/Forbidden.yaml

@@ -5,6 +5,7 @@ description: |
   | issue.details.coding.code | issue.code | Coding System                                                      | Description                                                                        |
   | ------------------------- | ---------- | ------------------------------------------------------------------ | ---------------------------------------------------------------------------------- |
   | REC_FORBIDDEN             | forbidden  | [BaRS Error Code](https://fhir.nhs.uk/CodeSystem/http-error-codes) | A call attempts to access or operate upon a resource without proper authorisation. |
+  | ACCESS_DENIED             | forbidden  | [APIM Error Code](https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode) | The request could not be authenticated due to insufficient credentials being provided. |
 
 headers:
   X-Correlation-ID:
@@ -18,4 +19,4 @@ content:
     schema:
       $ref: '../NHSDigital-OperationOutcome.yaml'
     example:
-      $ref: '../../examples/NHSDigital-OperationOutcome-403.json'
+      $ref: '../../examples/NHSDigital-OperationOutcome-403.json'

specification/components/r4/schemas/responses/Unauthorized.yaml

@@ -4,7 +4,7 @@ description: |
   
   | issue.details.coding.code | issue.code       | Coding System                                                                 | Description                                                                                                                                                                              |
   | ------------------------- | ---------------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-  | ACCESS_DENIED             | login            | [APIM Error Code](https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode) | The request could not be authenticated due to either no credentials being provided or the provided credentials no longer being valid. Callers receiving this code should reauthenticate. |
+  | ACCESS_DENIED             | <ul><li>login</li><li>forbidden</li></ul> | [APIM Error Code](https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode) | The request could not be authenticated due to either no credentials being provided or the provided credentials no longer being valid. Callers receiving this code should reauthenticate. |
 headers:
   X-Correlation-ID:
     $ref: '../headers/response/CorrelationID.yaml'
@@ -15,4 +15,4 @@ content:
     schema:
       $ref: '../NHSDigital-OperationOutcome.yaml'
     example:
-      $ref: '../../examples/NHSDigital-OperationOutcome-401.json'
+      $ref: '../../examples/NHSDigital-OperationOutcome-401.json'

specification/components/stu3/schemas/responses/Forbidden.yaml

@@ -2,9 +2,10 @@ description: |
   Where status code 403 (Forbidden) is returned then an eRS-OperationOutcome-1 will be included in the body, as detailed below.
   Check diagnostics property for specific information regarding the error.
   
-  | Error code                         | Description                                                                                                                 |
-  | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-  | FORBIDDEN                          | Access Forbidden.                                                               |
+  | issue.details.coding.code | issue.code | Coding System                                                      | Description                                                                        |
+  | ------------------------- | ---------- | ------------------------------------------------------------------ | ---------------------------------------------------------------------------------- |
+  | FORBIDDEN                 | forbidden  | [eRS Error Code](https://fhir.nhs.uk/CodeSystem/ers-error-codes)   | A call attempts to access or operate upon a resource without proper authorisation. |
+  | NO_ACCESS                 | forbidden  | [eRS Error Code](https://fhir.nhs.uk/CodeSystem/ers-error-codes)   | The request could not be authenticated due to insufficient credentials being provided. |
 headers:
   X-Correlation-ID:
     $ref: '../headers/response/CorrelationID.yaml'