add authorization

Author: Akol125

lambdas/filenameprocessor/src/constants.py

@@ -62,3 +62,9 @@ class AuditTableKeys(StrEnum):
     TIMESTAMP = "timestamp"
     EXPIRES_AT = "expires_at"
     ERROR_DETAILS = "error_details"
+
+
+class Operation(str):
+    CREATE = "C"
+    UPDATE = "U"
+    DELETE = "D"

lambdas/filenameprocessor/src/file_name_processor.py

@@ -24,7 +24,6 @@
     ERROR_TYPE_TO_STATUS_CODE_MAP,
     EXPECTED_BUCKET_OWNER_ACCOUNT,
     EXTENDED_ATTRIBUTES_FILE_PREFIX,
-    EXTENDED_ATTRIBUTES_VACC_TYPE,
     SOURCE_BUCKET_NAME,
     FileNotProcessedReason,
     FileStatus,
@@ -37,7 +36,7 @@
     VaccineTypePermissionsError,
 )
 from send_sqs_message import make_and_send_sqs_message
-from supplier_permissions import validate_vaccine_type_permissions
+from supplier_permissions import validate_permissions_for_extended_attributes_files, validate_vaccine_type_permissions
 from utils_for_filenameprocessor import get_creation_and_expiry_times
 
 
@@ -108,8 +107,8 @@ def handle_unexpected_bucket_name(bucket_name: str, file_key: str) -> dict:
     config and overarching design"""
     try:
         if file_key.startswith(EXTENDED_ATTRIBUTES_FILE_PREFIX):
-            organization_code = validate_extended_attributes_file_key(file_key)
-            extended_attribute_identifier = f"{organization_code}_{EXTENDED_ATTRIBUTES_VACC_TYPE}"
+            vaccine_type, supplier = validate_extended_attributes_file_key(file_key)
+            extended_attribute_identifier = f"{supplier}_{vaccine_type}"
             logger.error(
                 "Unable to process file %s due to unexpected bucket name %s",
                 file_key,
@@ -250,8 +249,8 @@ def handle_extended_attributes_file(
 
     extended_attribute_identifier = None
     try:
-        organization_code = validate_extended_attributes_file_key(file_key)
-        extended_attribute_identifier = f"{organization_code}_{EXTENDED_ATTRIBUTES_VACC_TYPE}"
+        vaccine_type, supplier = validate_extended_attributes_file_key(file_key)
+        extended_attribute_identifier = validate_permissions_for_extended_attributes_files(vaccine_type, supplier)
 
         upsert_audit_table(
             message_id,

lambdas/filenameprocessor/src/file_validation.py

@@ -3,7 +3,7 @@
 from datetime import datetime
 from re import match
 
-from constants import EXTENDED_ATTRIBUTES_FILE_PREFIX, VALID_EA_VERSIONS, VALID_VERSIONS
+from constants import EXTENDED_ATTRIBUTES_FILE_PREFIX, EXTENDED_ATTRIBUTES_VACC_TYPE, VALID_EA_VERSIONS, VALID_VERSIONS
 from elasticache import (
     get_supplier_system_from_cache,
     get_valid_vaccine_types_from_cache,
@@ -52,7 +52,7 @@ def validate_extended_attributes_file_key(file_key: str) -> str:
     timestamp = file_key_parts_without_extension[6]
     supplier = get_supplier_system_from_cache(organization_code)
     valid_vaccine_types = get_valid_vaccine_types_from_cache()
-    vaccine_type = "COVID"
+    vaccine_type = EXTENDED_ATTRIBUTES_VACC_TYPE
 
     if not (
         vaccine_type in valid_vaccine_types
@@ -66,7 +66,7 @@ def validate_extended_attributes_file_key(file_key: str) -> str:
     ):
         raise InvalidFileKeyError("Initial file validation failed: invalid file key")
 
-    return organization_code
+    return vaccine_type, organization_code
 
 
 def validate_batch_file_key(file_key: str) -> tuple[str, str]:

lambdas/filenameprocessor/src/supplier_permissions.py

@@ -1,6 +1,7 @@
 """Functions for fetching supplier permissions"""
 
 from common.clients import logger
+from constants import Operation
 from elasticache import get_supplier_permissions_from_cache
 from models.errors import VaccineTypePermissionsError
 
@@ -19,3 +20,25 @@ def validate_vaccine_type_permissions(vaccine_type: str, supplier: str) -> list:
         raise VaccineTypePermissionsError(error_message)
 
     return supplier_permissions
+
+
+def validate_permissions_for_extended_attributes_files(vaccine_type: str, supplier: str) -> list:
+    """
+    Checks that the supplier has COVID vaccine type and its CUD permissions.
+    Raises an exception if the supplier does not have at least one permission for the vaccine type.
+    """
+    allowed_operations = {
+        Operation.CREATE,
+        Operation.UPDATE,
+        Operation.DELETE,
+    }
+    supplier_permissions = get_supplier_permissions_from_cache(supplier)
+    cached_operations = [
+        permission.split(".")[1] for permission in supplier_permissions if permission.split(".")[0] == vaccine_type
+    ]
+    if not (cached_operations and allowed_operations.issubset(set(cached_operations[0]))):
+        error_message = f"Initial file validation failed: {supplier} does not have permissions for {vaccine_type}"
+        logger.error(error_message)
+        raise VaccineTypePermissionsError(error_message)
+
+    return f"{supplier}_{vaccine_type}"

lambdas/filenameprocessor/tests/test_file_key_validation.py

@@ -135,8 +135,9 @@ def test_validate_extended_attributes_file_key(self, mock_get_redis_client):
                 mock_redis.hget.side_effect = create_mock_hget(MOCK_ODS_CODE_TO_SUPPLIER, {})
                 mock_redis.hkeys.return_value = ["COVID"]
                 mock_get_redis_client.return_value = mock_redis
+                vaccine_type, supplier = validate_extended_attributes_file_key(file_key)
                 self.assertEqual(
-                    validate_extended_attributes_file_key(file_key),
+                    supplier,
                     expected_result,
                 )
 

lambdas/filenameprocessor/tests/test_lambda_handler.py

@@ -272,6 +272,7 @@ def test_lambda_handler_extended_attributes_success(self, mock_get_redis_client)
 
         # Patch uuid4 (message id), and prevent external copy issues by simulating move
         with (
+            patch("file_name_processor.validate_permissions_for_extended_attributes_files", return_value="X8E5B_COVID"),
             patch("file_name_processor.uuid4", return_value=test_cases[0].message_id),
             patch(
                 "file_name_processor.copy_file_to_external_bucket",
@@ -348,6 +349,7 @@ def test_lambda_handler_extended_attributes_failure(self, mock_get_redis_client)
 
         # Patch uuid4 (message id), and raise an exception instead of moving the file.
         with (
+            patch("file_name_processor.validate_permissions_for_extended_attributes_files", return_value="X8E5B_COVID"),
             patch("file_name_processor.uuid4", return_value=test_cases[0].message_id),
             patch("file_name_processor.copy_file_to_external_bucket", side_effect=Exception("Test ClientError")),
             patch(
@@ -472,6 +474,7 @@ def test_lambda_handler_extended_attributes_extension_checks(self, mock_get_redi
         csv_key = MockFileDetails.extended_attributes_file.file_key
         s3_client.put_object(Bucket=BucketNames.SOURCE, Key=csv_key, Body=MOCK_EXTENDED_ATTRIBUTES_FILE_CONTENT)
         with (
+            patch("file_name_processor.validate_permissions_for_extended_attributes_files", return_value="X8E5B_COVID"),
             patch("file_name_processor.uuid4", return_value="EA_csv_id"),
             patch(
                 "file_name_processor.copy_file_to_external_bucket",
@@ -500,9 +503,10 @@ def test_lambda_handler_extended_attributes_extension_checks(self, mock_get_redi
         s3_client.get_object(Bucket=BucketNames.DESTINATION, Key=f"dps_destination/{csv_key}")
 
         # .DAT accepted
-        dat_key = csv_key[:-3] + "dat"
+        dat_key = MockFileDetails.extended_attributes_file.file_key[:-3] + "dat"
         s3_client.put_object(Bucket=BucketNames.SOURCE, Key=dat_key, Body=MOCK_EXTENDED_ATTRIBUTES_FILE_CONTENT)
         with (
+            patch("file_name_processor.validate_permissions_for_extended_attributes_files", return_value="X8E5B_COVID"),
             patch("file_name_processor.uuid4", return_value="EA_dat_id"),
             patch(
                 "file_name_processor.copy_file_to_external_bucket",