first attempt at integration test

Author: kevinmason-nhs

.env

@@ -79,6 +79,12 @@ def asid(is_mocked_environment):
     )
 
 
+@pytest.fixture(scope="session")
+def apim_app_flow_vars(allowListodsCode=None):
+    if allowListodsCode is not None:
+        return {"ers": {"allowListodsCode": allowListodsCode}}
+
+
 @pytest.fixture(scope="session")
 def referring_clinician(is_mocked_environment):
     return Actor.RC_DEV if is_mocked_environment else Actor.RC
@@ -127,7 +133,8 @@ async def user_restricted_product(client, make_product):
         [
             "urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api",
             "urn:nhsd:apim:user-nhs-id:aal2:e-referrals-service-api",
-        ]
+        ],
+        additional_attributes=[{"name": "EUOAllowlist", "value": "false"}],
     )
 
     print(f"product created: {productName}")
@@ -240,7 +247,7 @@ def _update_function(attr, value):
 
 @pytest.fixture
 def make_product(client, environment, service_name):
-    async def _make_product(product_scopes):
+    async def _make_product(product_scopes, additional_attributes=None):
         product = ApiProductsAPI(client=client)
 
         proxies = [f"identity-service-mock-{environment}"]
@@ -251,9 +258,12 @@ async def _make_product(product_scopes):
         product_name = f"apim-auto-{uuid4()}"
         attributes = [
             {"name": "access", "value": "public"},
-            {"name": "EUOAllowlistRequired", "value": "false"},
             {"name": "ratelimit", "value": "10ps"},
         ]
+
+        if additional_attributes is not None:
+            attributes.extend(additional_attributes)
+
         body = {
             "proxies": proxies,
             "scopes": product_scopes,
@@ -273,9 +283,17 @@ async def _make_product(product_scopes):
 
 
 @pytest_asyncio.fixture
-async def user_restricted_app(client, make_app, user_restricted_product, asid):
+async def user_restricted_app(
+    client, make_app, user_restricted_product, asid, apim_app_flow_vars
+):
     # Setup
-    app = await make_app(user_restricted_product, {"asid": asid})
+    if apim_app_flow_vars is not None:
+        app = await make_app(
+            user_restricted_product,
+            {"asid": asid, "apim-app-flow-vars": apim_app_flow_vars},
+        )
+    else:
+        app = await make_app(user_restricted_product, {"asid": asid})
 
     appName = app["name"]
     print(f"App created: {appName}")
@@ -318,7 +336,7 @@ async def _make_app(product, custom_attributes={}):
 
 @pytest.fixture
 def authenticate_user(client, user_restricted_app, environment, oauth_url):
-    async def _auth(actor: Actor):
+    async def _auth(actor: Actor, apim_app_flow_vars=None):
         print(f"Attempting to authenticate: {actor}")
 
         credentials = user_restricted_app["credentials"][0]

tests/conftest.py

@@ -0,0 +1,73 @@
+import pytest
+import requests
+from requests import Response
+from tests.data import RenamedHeader, Actor, UserAuthenticationLevel
+from tests.asserts import assert_ok_response
+
+_HEADER_AUTHORIZATION = "Authorization"
+_HEADER_ECHO = "echo"  # enable echo target
+_HEADER_BASE_URL = "x-ers-network-baseurl"
+_HEADER_USER_ID = "x-ers-user-id"
+_HEADER_REQUEST_ID = "x-request-id"
+_HEADER_ASID = "xapi_asid"
+_HEADER_ACCESS_MODE = "x-ers-access-mode"
+_HEADER_AAL = "x-ers-authentication-assurance-level"
+_HEADER_AMR = "x-ers-amr"
+_HEADER_ID_ASSURANCE_LEVEL = "x-ers-id-assurance-level"
+
+_EXPECTED_REFERRAL_ID = "000000040032"
+_EXPECTED_CORRELATION_ID = "123123-123123-123123-123123"
+_EXPECTED_FILENAME = "mysuperfilename.txt"
+_EXPECTED_COMMA_FILENAME = "mysuper,filename.txt"
+_EXPECTED_COMM_RULE_ORG = "R100"
+_EXPECTED_OBO_USER_ID = "0123456789000"
+_EXPECTED_ACCESS_MODE = "user-restricted"
+
+_SPECIALTY_REF_DATA_URL = "/FHIR/STU3/CodeSystem/SPECIALTY"
+_SEARCH_HEALTHCARE_SERVICE_R4_URL = "/FHIR/R4/HealthcareService"
+
+
+@pytest.mark.integration_test
+class TestUserRestricted:
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4",
+        [("", False), ("/FHIR/R4/", True), ("/FHIR/STU3/", False)],
+    )
+    async def test_user_restricted_invalid_ods_code(
+        self,
+        authenticate_user,
+        endpoint_url,
+        is_fhir_4,
+        service_url,
+        update_user_restricted_product,
+    ):
+        access_code = await authenticate_user(
+            referring_clinician_insufficient_ial, ["invalid_code"]
+        )
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: referring_clinician_insufficient_ial.business_function,
+            RenamedHeader.ODS_CODE.original: referring_clinician_insufficient_ial.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+
+        # Make request with user with ODS code not in allow list (e.g. R69)
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+
+        # Verify the status
+        # Verify 403 response with appropriate error message
+        assert (
+            response.status_code == 403
+        ), "Expected a 403 when accessing the api but got " + str(response.status_code)