Merge pull request #35 from NHSDigital/AMB-1709-adding-auth-errors-to-proxy

Creating new PR for proxy error handling due to conflicts

Author: ewan-IW

proxies/live/apiproxy/policies/AssignMessage.InvalidAccessToken.xml

@@ -0,0 +1,33 @@
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.InvalidAccessToken">
+  <Set>
+    <StatusCode>401</StatusCode>
+    <Payload contentType="application/json">
+    {
+      "resourceType": "OperationOutcome",
+      "id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+      "meta": {
+        "profile": [
+          "https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+        ]
+      },
+      "issue": [
+        {
+          "severity": "error",
+          "code": "expired",
+          "details": {
+            "coding": [
+              {
+                "system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+                "code": "SEND_UNAUTHORIZED"
+              }
+            ]
+          },
+          "diagnostics": "The sender has not provided a token or it has expired or is otherwise invalid."
+        }
+      ]
+    }
+    </Payload>
+  </Set>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+  <AssignTo createNew="false" transport="http" type="response" />
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.InvalidOperation.xml

@@ -0,0 +1,33 @@
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.InvalidOperation">
+  <Set>
+    <StatusCode>400</StatusCode>
+    <Payload contentType="application/json">
+    {
+      "resourceType": "OperationOutcome",
+      "id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+      "meta": {
+        "profile": [
+          "https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+        ]
+      },
+      "issue": [
+        {
+          "severity": "error",
+          "code": "invalid",
+          "details": {
+            "coding": [
+              {
+                "system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+                "code": "INVALID_OPERATION"
+              }
+            ]
+          },
+          "diagnostics": "Invalid operation."
+        }
+      ]
+    }
+    </Payload>
+  </Set>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+  <AssignTo createNew="false" transport="http" type="response" />
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.PermissionsError.xml

@@ -0,0 +1,33 @@
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AssignMessage.PermissionsError">
+  <Set>
+    <StatusCode>403</StatusCode>
+    <Payload contentType="application/json">
+    {
+    "resourceType": "OperationOutcome",
+    "id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+    "meta": {
+        "profile": [
+            "https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+        ]
+    },
+    "issue": [
+            {
+                "severity": "error",
+                "code": "forbidden",
+                 "details": {
+                    "coding": [
+                     {
+                         "system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+                         "code": "SEND_UNAUTHORIZED"
+                     }
+                    ]
+                },
+                "diagnostics": "The sender does not have permissions to access this resource. Please check your credentials and permissions."
+            }
+        ]
+    }
+    </Payload>
+  </Set>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+  <AssignTo createNew="false" transport="http" type="response" />
+</AssignMessage>

proxies/live/apiproxy/proxies/default.xml

@@ -42,8 +42,7 @@
           <Name>javascript.SetStatusResponse</Name>
         </Step>
       </Response>
-      <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))
-      </Condition>
+      <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
     </Flow>
   </Flows>
   <PostClientFlow name="PostClientFlow">
@@ -69,9 +68,4 @@
   <RouteRule name="immunisation-fhir-api-target">
     <TargetEndpoint>immunisation-fhir-api-target</TargetEndpoint>
   </RouteRule>
-  <DefaultFaultRule>
-    <Step>
-      <Name>AssignMessage.Errors.CatchAllMessage</Name>
-    </Step>
-  </DefaultFaultRule>
 </ProxyEndpoint>

proxies/live/apiproxy/targets/target.xml

@@ -1,25 +1,34 @@
 <TargetEndpoint name="immunisation-fhir-api-target">
   <PreFlow>
     <Request>
-      <Step>
-        <Name>OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3</Name>
-      </Step>
-      <Step>
-        <Name>FlowCallout.ApplyRateLimiting</Name>
-      </Step>
+        <Step>
+            <Name>OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3</Name>
+        </Step>
+        <Step>
+            <Name>FlowCallout.ApplyRateLimiting</Name>
+        </Step>
     </Request>
   </PreFlow>
-  <FaultRules>
-    <FaultRule name="access_token_expired">
-      <Step>
-        <Name>ExtractVariables.OAuthErrorFaultString</Name>
-      </Step>
-      <Step>
-        <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
-      </Step>
-      <Condition>oauthV2.OauthV2.VerifyAccessToken.failed</Condition>
-    </FaultRule>
-  </FaultRules>
+    <FaultRules>
+      <FaultRule name="400_invalid_operation">
+          <Condition>(oauthV2.failed == false) and (request.verb = "GET")</Condition>
+          <Step>
+              <Name>AssignMessage.InvalidOperation</Name>
+          </Step>
+      </FaultRule>
+      <FaultRule name="401_invalid_token">
+          <Condition>oauthV2.OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3.fault.cause == "Invalid access token"</Condition>
+          <Step>
+              <Name>AssignMessage.InvalidAccessToken</Name>
+          </Step>
+      </FaultRule>
+      <FaultRule name="403_invalid_permissions">
+          <Condition>(oauthV2.OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3.fault.cause != "Invalid access token") and (oauthV2.OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3.failed == true)</Condition>
+          <Step>
+              <Name>AssignMessage.PermissionsError</Name>
+          </Step>
+      </FaultRule>
+    </FaultRules>
   <HTTPTargetConnection>
     <URL>{{ DOMAIN_ENDPOINT }}</URL>
     <Properties>

specification/examples/OperationOutcome/400-invalid_operation.json

@@ -0,0 +1,24 @@
+{
+	"resourceType": "OperationOutcome",
+	"id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+	"meta": {
+		"profile": [
+			"https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+		]
+	},
+	"issue": [
+		{
+			"severity": "error",
+			"code": "invalid",
+			"details": {
+				"coding": [
+					{
+						"system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+						"code": "INVALID_OPERATION"
+					}
+				]
+			},
+			"diagnostics": "Invalid operation."
+		}
+	]
+}

specification/examples/OperationOutcome/401-invalid_access_token.json

@@ -0,0 +1,24 @@
+{
+	"resourceType": "OperationOutcome",
+	"id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+	"meta": {
+		"profile": [
+			"https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+		]
+	},
+	"issue": [
+		{
+			"severity": "error",
+			"code": "expired",
+			"details": {
+				"coding": [
+					{
+						"system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+						"code": "SEND_UNAUTHORIZED"
+					}
+				]
+			},
+			"diagnostics": "The sender has not provided a token or it has expired or is otherwise invalid."
+		}
+	]
+}

specification/examples/OperationOutcome/403-unauthorized.json

@@ -0,0 +1,24 @@
+{
+    "resourceType": "OperationOutcome",
+    "id": "a5abca2a-4eda-41da-b2cc-95d48c6b791d",
+    "meta": {
+        "profile": [
+            "https://simplifier.net/guide/UKCoreDevelopment2/ProfileUKCore-OperationOutcome"
+        ]
+    },
+    "issue": [
+        {
+            "severity": "error",
+            "code": "forbidden",
+                "details": {
+                "coding": [
+                    {
+                        "system": "https://fhir.nhs.uk/Codesystem/http-error-codes",
+                        "code": "SEND_UNAUTHORIZED"
+                    }
+                ]
+            },
+            "diagnostics": "The sender does not have permissions to access this resource. Please check your credentials and permissions."
+        }
+    ]
+}

terraform/batch-processing/iam.tf

@@ -1,22 +1,22 @@
 resource "aws_iam_role" batch_processing_lambda_role {
   name = "${var.short_prefix}-batch-processing-lambda-role"
   assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
     {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Action": [
-            "sts:AssumeRole"
-          ],
-          "Principal": {
-            "Service": "lambda.amazonaws.com"
-          },
-          "Effect": "Allow",
-          "Sid": ""
-        }
-      ]
+      "Action": [
+        "sts:AssumeRole"
+      ],
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
     }
-    EOF
+  ]
+}
+EOF
 }
 
 resource "aws_iam_policy" batch_processing_lambda_policy {

terraform/lambda/iam.tf

@@ -1,20 +1,20 @@
 resource "aws_iam_role" lambda_role {
   name = "${var.short_prefix}-lambda-role"
   assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
     {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Action": "sts:AssumeRole",
-          "Principal": {
-            "Service": "lambda.amazonaws.com"
-          },
-          "Effect": "Allow",
-          "Sid": ""
-        }
-      ]
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
     }
-    EOF
+  ]
+}
+EOF
 }