[ERSSUP-74395]-[DW]-[Add support for referrer app restricted calls]-[AST]

Author: adamtallentire-nhsd

proxies/live/apiproxy/policies/AssignMessage.Set.nhsd-ers-business-function-header-app-restricted.xml

@@ -1,7 +1,13 @@
 <AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.Set.nhsd-ers-business-function-header-app-restricted">
+    <AssignVariable>
+        <Name>business-function-header-value</Name>
+        <Ref>app.app-restricted-business-function</Ref>
+        <Value>PROVIDER_AUTHORISED_APPLICATION</Value>
+        <!-- default value in case variable above is not defined -->
+    </AssignVariable>
     <Set>
         <Headers>
-            <Header name="x-ers-business-function">AUTHORISED_APPLICATION</Header>
+            <Header name="x-ers-business-function">{business-function-header-value}</Header>
         </Headers>
     </Set>
     <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>

tests/conftest.py

@@ -101,6 +101,14 @@ def app_restricted_user_id(is_mocked_environment):
     return "000000000101" if is_mocked_environment else "555032000100"
 
 
+@pytest.fixture(
+    scope="session",
+    params=["PROVIDER_AUTHORISED_APPLICATION", "REFERRER_AUTHORISED_APPLICATION"],
+)
+def app_restricted_business_function(request):
+    return request.param
+
+
 @pytest.fixture()
 def client():
     config = ApigeeNonProdCredentials()
@@ -252,6 +260,7 @@ async def app_restricted_app(
     asid,
     app_restricted_ods_code,
     app_restricted_user_id,
+    app_restricted_business_function,
 ):
     # Setup
     app = await make_app(
@@ -260,6 +269,7 @@ async def app_restricted_app(
             "asid": asid,
             "app-restricted-ods-code": app_restricted_ods_code,
             "app-restricted-user-id": app_restricted_user_id,
+            "app-restricted-business-function": app_restricted_business_function,
             "jwks-resource-url": jwt_public_key_url,
         },
     )

tests/integration/test_app_restricted.py

@@ -15,7 +15,8 @@
 _EXPECTED_CORRELATION_ID = "123123-123123-123123-123123"
 
 _SPECIALTY_REF_DATA_URL = "/FHIR/STU3/CodeSystem/SPECIALTY"
-_AUTHORISED_APPLICATION = "AUTHORISED_APPLICATION"
+_PROVIDER_AUTHORISED_APPLICATION = "PROVIDER_AUTHORISED_APPLICATION"
+_REFERRER_AUTHORISED_APPLICATION = "REFERRER_AUTHORISED_APPLICATION"
 _EXPECTED_ACCESS_MODE = "application-restricted"
 
 
@@ -27,11 +28,11 @@ async def test_authorised_application_not_supported_for_user_restricted(
     ):
         access_code = await authenticate_user(referring_clinician)
 
-        # attempt to use AUTHORISED_APPLICATION with an RC
+        # attempt to use REFERRER_AUTHORISED_APPLICATION with an RC
         client_request_headers = {
             _HEADER_AUTHORIZATION: "Bearer " + access_code,
             RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
-            RenamedHeader.BUSINESS_FUNCTION.original: _AUTHORISED_APPLICATION,
+            RenamedHeader.BUSINESS_FUNCTION.original: _REFERRER_AUTHORISED_APPLICATION,
             RenamedHeader.ODS_CODE.original: referring_clinician.org_code,
             _HEADER_REQUEST_ID: "DUMMY",  # this must be less than 10 characters
         }
@@ -63,7 +64,8 @@ def test_authorised_application_supported_for_app_restricted(
         "header,value",
         [
             (RenamedHeader.ODS_CODE.renamed, "ABC"),
-            (RenamedHeader.BUSINESS_FUNCTION.renamed, _AUTHORISED_APPLICATION),
+            (RenamedHeader.BUSINESS_FUNCTION.renamed, _PROVIDER_AUTHORISED_APPLICATION),
+            (RenamedHeader.BUSINESS_FUNCTION.renamed, _REFERRER_AUTHORISED_APPLICATION),
             (_HEADER_USER_ID, "1"),
         ],
     )
@@ -91,6 +93,7 @@ def test_headers_on_echo_target(
         asid,
         app_restricted_ods_code,
         app_restricted_user_id,
+        app_restricted_business_function,
     ):
         client_request_headers = {
             _HEADER_ECHO: "",  # enable echo target
@@ -102,7 +105,12 @@ def test_headers_on_echo_target(
         # Make the API call
         response = requests.get(service_url, headers=client_request_headers)
         self.assert_ok_echo_response(
-            response, service_url, asid, app_restricted_ods_code, app_restricted_user_id
+            response,
+            service_url,
+            asid,
+            app_restricted_ods_code,
+            app_restricted_user_id,
+            app_restricted_business_function,
         )
 
     def assert_ok_echo_response(
@@ -112,6 +120,7 @@ def assert_ok_echo_response(
         asid,
         app_restricted_ods_code,
         app_restricted_user_id,
+        app_restricted_business_function,
     ):
         assert (
             response.status_code == 200
@@ -180,7 +189,7 @@ def assert_ok_echo_response(
         )
         assert (
             target_request_headers[RenamedHeader.BUSINESS_FUNCTION.renamed]
-            == _AUTHORISED_APPLICATION
+            == app_restricted_business_function
         )
         assert (
             target_request_headers[RenamedHeader.ODS_CODE.renamed]
@@ -198,6 +207,7 @@ def test_access_mode_header_overwritten_on_echo_target(
         asid,
         app_restricted_ods_code,
         app_restricted_user_id,
+        app_restricted_business_function,
     ):
         client_request_headers = {
             _HEADER_ECHO: "",  # enable echo target
@@ -210,5 +220,10 @@ def test_access_mode_header_overwritten_on_echo_target(
         # Make the API call
         response = requests.get(service_url, headers=client_request_headers)
         self.assert_ok_echo_response(
-            response, service_url, asid, app_restricted_ods_code, app_restricted_user_id
+            response,
+            service_url,
+            asid,
+            app_restricted_ods_code,
+            app_restricted_user_id,
+            app_restricted_business_function,
         )