Merge branch 'master' into VED-365-batch-performance-investigation

# Conflicts:
#	backend/poetry.lock
#	e2e_batch/poetry.lock
#	e2e_batch/pyproject.toml
#	lambdas/id_sync/poetry.lock
#	recordprocessor/poetry.lock
#	recordprocessor/src/batch_processor.py
#	recordprocessor/src/file_level_validation.py
#	recordprocessor/src/utils_for_recordprocessor.py

Author: nhsdevws

.github/dependabot.yml

@@ -51,6 +51,7 @@ updates:
       - "/"
       - "/ack_backend"
       - "/backend"
+      - "/batch_processor_filter"
       - "/delta_backend"
       - "/e2e"
       - "/e2e_batch"

ack_backend/poetry.lock

@@ -10,11 +10,11 @@ packages = [
 
 [tool.poetry.dependencies]
 python = "~3.11"
-boto3 = "~1.38.42"
-mypy-boto3-dynamodb = "^1.38.4"
+boto3 = "~1.40.28"
+mypy-boto3-dynamodb = "^1.40.20"
 freezegun      = "^1.5.2"
 moto           = "^4"
-coverage = "^7.9.1"
+coverage = "^7.10.6"
 
 
 [build-system]

ack_backend/pyproject.toml

@@ -9,12 +9,12 @@ packages    = [{include = "src"}]
 [tool.poetry.dependencies]
 python                  = "~3.11"
 "fhir.resources"        = "~7.0.2"
-boto3                   = "~1.38.42"
-boto3-stubs-lite        = {extras = ["dynamodb"], version = "~1.38.42"}
+boto3                   = "~1.40.28"
+boto3-stubs-lite        = {extras = ["dynamodb"], version = "~1.40.28"}
 aws-lambda-typing       = "~2.20.0"
 redis                   = "^4.6.0"
-moto                    = "^5.1.6"
-requests                = "~2.32.4"
+moto                    = "^5.1.12"
+requests                = "~2.32.5"
 responses               = "~0.25.7"
 pydantic                = "~1.10.13"
 pyjwt                   = "~2.10.1"
@@ -25,7 +25,7 @@ simplejson              = "^3.19.2"
 structlog               = "^24.1.0"
 python-stdnum           = "^2.1"
 freezegun               = "^1.5.1"
-coverage                = "^7.9.1"
+coverage                = "^7.10.6"
 
 [build-system]
 requires      = ["poetry-core ~= 1.5.0"]

backend/poetry.lock

@@ -0,0 +1,9 @@
+from enum import StrEnum
+
+
+class ApiOperationCode(StrEnum):
+    CREATE = "c"
+    READ = "r"
+    UPDATE = "u"
+    DELETE = "d"
+    SEARCH = "s"

backend/pyproject.toml

@@ -0,0 +1,72 @@
+"""Authoriser class"""
+import json
+
+from authorisation.api_operation_code import ApiOperationCode
+from clients import redis_client, logger
+from constants import SUPPLIER_PERMISSIONS_HASH_KEY
+
+
+class Authoriser:
+    """Authoriser class. Used for authorising operations on FHIR vaccinations."""
+    def __init__(self):
+        self._cache_client = redis_client
+
+    @staticmethod
+    def _expand_permissions(permissions: list[str]) -> dict[str, list[ApiOperationCode]]:
+        """Parses and expands permissions data into a dictionary mapping vaccination types to a list of permitted
+        API operations. The raw string from Redis will be in the form VAC.PERMS e.g. COVID19.CRUDS"""
+        expanded_permissions = {}
+
+        for permission in permissions:
+            vaccine_type, operation_codes_str = permission.split(".", maxsplit=1)
+            vaccine_type = vaccine_type.lower()
+            operation_codes = [
+                operation_code
+                for operation_code in operation_codes_str.lower()
+                if operation_code in list(ApiOperationCode)
+            ]
+            expanded_permissions[vaccine_type] = operation_codes
+
+        return expanded_permissions
+
+    def _get_supplier_permissions(self, supplier_system: str) -> dict[str, list[ApiOperationCode]]:
+        raw_permissions_data = self._cache_client.hget(SUPPLIER_PERMISSIONS_HASH_KEY, supplier_system)
+        permissions_data = json.loads(raw_permissions_data) if raw_permissions_data else []
+
+        return self._expand_permissions(permissions_data)
+
+    def authorise(
+        self,
+        supplier_system: str,
+        requested_operation: ApiOperationCode,
+        vaccination_types: set[str]
+    ) -> bool:
+        """Checks that the supplier system is permitted to carry out the requested operation on the given vaccination
+        type(s)"""
+        supplier_permissions = self._get_supplier_permissions(supplier_system)
+
+        logger.info(
+            f"operation: {requested_operation}, supplier_permissions: {supplier_permissions}, "
+            f"vaccine_types: {vaccination_types}"
+        )
+        return all(
+            requested_operation in supplier_permissions.get(vaccination_type.lower(), [])
+            for vaccination_type in vaccination_types
+        )
+
+    def filter_permitted_vacc_types(
+        self,
+        supplier_system: str,
+        requested_operation: ApiOperationCode,
+        vaccination_types: set[str]
+    ) -> set[str]:
+        """Returns the set of vaccine types that a given supplier can interact with for a given operation type.
+        This is a more permissive form of authorisation e.g. used in search as it will filter out any requested vacc
+        types that they cannot interact with without throwing an error"""
+        supplier_permissions = self._get_supplier_permissions(supplier_system)
+
+        return {
+            vaccine_type
+            for vaccine_type in vaccination_types
+            if requested_operation in supplier_permissions.get(vaccine_type.lower(), [])
+        }

backend/src/authorisation/__init__.py

@@ -23,3 +23,4 @@ class Urls:
 
 
 GENERIC_SERVER_ERROR_DIAGNOSTICS_MESSAGE = "Unable to process request. Issue may be transient."
+SUPPLIER_PERMISSIONS_HASH_KEY = "supplier_permissions"