[NDR-283] Bypass requirement for Bearer token in FHIR endpoint when using PDM (#856)

Author: jameslinnell

lambdas/handlers/fhir_document_reference_search_handler.py

@@ -15,6 +15,7 @@
 from utils.decorators.validate_patient_id import validate_patient_id_fhir
 from utils.exceptions import AuthorisationException, OidcApiException
 from utils.lambda_exceptions import DocumentRefSearchException, SearchPatientException
+from utils.lambda_handler_utils import extract_bearer_token
 from utils.lambda_response import ApiGatewayResponse
 from utils.request_context import request_context
 
@@ -46,15 +47,15 @@ def lambda_handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
     """
     logger.info("Received request to search for document references")
 
-    bearer_token = extract_bearer_token(event)
+    bearer_token = extract_bearer_token(event, context)
     selected_role_id = event.get("headers", {}).get(HEADER_CIS2_USER_ID, "")
 
     nhs_number, search_filters = parse_query_parameters(
         event.get("queryStringParameters", {})
     )
     request_context.patient_nhs_no = nhs_number
 
-    if selected_role_id:
+    if selected_role_id and bearer_token:
         validate_user_access(bearer_token, selected_role_id, nhs_number)
 
     service = DocumentReferenceSearchService()
@@ -151,16 +152,3 @@ def validate_user_access(
         search_patient_service.handle_search_patient_request(nhs_number, False)
     except SearchPatientException as e:
         raise DocumentRefSearchException(e.status_code, e.error)
-
-
-def extract_bearer_token(event):
-    """Extract and validate bearer token from event"""
-    headers = event.get("headers", {})
-    if not headers:
-        logger.warning("No headers found in request")
-        raise DocumentRefSearchException(401, LambdaError.DocumentReferenceUnauthorised)
-    bearer_token = headers.get("Authorization", None)
-    if not bearer_token or not bearer_token.startswith("Bearer "):
-        logger.warning("No bearer token found in request")
-        raise DocumentRefSearchException(401, LambdaError.DocumentReferenceUnauthorised)
-    return bearer_token

lambdas/handlers/get_fhir_document_reference_handler.py

@@ -1,4 +1,5 @@
 from enums.lambda_error import LambdaError
+from enums.mtls import MtlsCommonNames
 from oauthlib.oauth2 import WebApplicationClient
 from services.base.ssm_service import SSMService
 from services.dynamic_configuration_service import DynamicConfigurationService
@@ -8,6 +9,8 @@
 from utils.audit_logging_setup import LoggingService
 from utils.decorators.ensure_env_var import ensure_environment_variables
 from utils.decorators.handle_lambda_exceptions import handle_lambda_exceptions_fhir
+from utils.lambda_handler_utils import extract_bearer_token
+from utils.lambda_header_utils import validate_common_name_in_mtls
 from utils.decorators.set_audit_arg import set_request_context_for_logging
 from utils.exceptions import AuthorisationException, OidcApiException
 from utils.lambda_exceptions import (
@@ -34,16 +37,17 @@
 )
 def lambda_handler(event, context):
     try:
-        bearer_token = extract_bearer_token(event)
+        bearer_token = extract_bearer_token(event, context)
         selected_role_id = event.get("headers", {}).get("cis2-urid", None)
+
         document_id, snomed_code = extract_document_parameters(event)
 
         get_document_service = GetFhirDocumentReferenceService()
         document_reference = get_document_service.handle_get_document_reference_request(
             snomed_code, document_id
         )
 
-        if selected_role_id:
+        if selected_role_id and bearer_token:
             verify_user_authorisation(
                 bearer_token, selected_role_id, document_reference.nhs_number
             )
@@ -72,17 +76,6 @@ def lambda_handler(event, context):
         ).create_api_gateway_response()
 
 
-def extract_bearer_token(event):
-    """Extract and validate bearer token from event"""
-    bearer_token = event.get("headers", {}).get("Authorization", None)
-    if not bearer_token or not bearer_token.startswith("Bearer "):
-        logger.warning("No bearer token found in request")
-        raise GetFhirDocumentReferenceException(
-            401, LambdaError.DocumentReferenceUnauthorised
-        )
-    return bearer_token
-
-
 def extract_document_parameters(event):
     """Extract document ID and SNOMED code from path parameters"""
     path_params = event.get("pathParameters", {}).get("id", None)

lambdas/tests/e2e/api/fhir/test_retrieve_document_fhir_api.py

@@ -33,9 +33,7 @@ def build_pdm_record(nhs_number="9912003071", data=None, doc_status=None, size=N
 def get_document_reference(record_id):
     """Helper to perform GET request for DocumentReference."""
     url = f"https://{MTLS_ENDPOINT}/DocumentReference/{PDM_SNOMED}~{record_id}"
-    print("url:", url)
     headers = {
-        "Authorization": "Bearer 123",
         "X-Correlation-Id": "1234",
     }
     session = create_mtls_session()

lambdas/tests/e2e/api/fhir/test_upload_document_fhir_api.py

@@ -68,7 +68,6 @@ def upload_document(session, payload):
     """Helper to upload DocumentReference."""
     url = f"https://{MTLS_ENDPOINT}/DocumentReference"
     headers = {
-        "Authorization": "Bearer 123",
         "X-Correlation-Id": "1234",
     }
     return session.post(url, headers=headers, data=payload)
@@ -78,7 +77,6 @@ def retrieve_document_with_retry(session, doc_id, condition):
     """Poll until condition is met on DocumentReference retrieval."""
     retrieve_url = f"https://{MTLS_ENDPOINT}/DocumentReference/{doc_id}"
     headers = {
-        "Authorization": "Bearer 123",
         "X-Correlation-Id": "1234",
     }
     return fetch_with_retry_mtls(session, retrieve_url, headers, condition)

lambdas/tests/unit/handlers/test_fhir_document_reference_search_handler.py

@@ -4,13 +4,13 @@
 import pytest
 from enums.lambda_error import LambdaError
 from handlers.fhir_document_reference_search_handler import (
-    extract_bearer_token,
     lambda_handler,
     parse_query_parameters,
     validate_user_access,
 )
 from utils.exceptions import AuthorisationException, OidcApiException
 from utils.lambda_exceptions import DocumentRefSearchException
+from utils.lambda_handler_utils import extract_bearer_token
 
 
 @pytest.fixture
@@ -349,27 +349,30 @@ def test_parse_query_parameters():
     assert filters == {}
 
 
-def test_extract_bearer_token_valid():
+def test_extract_bearer_token_valid(context):
+    context.function_name = "SearchDocumentReferencesFHIR"
     event = {"headers": {"Authorization": "Bearer valid-token"}}
 
-    token = extract_bearer_token(event)
+    token = extract_bearer_token(event, context)
     assert token == "Bearer valid-token"
 
 
-def test_extract_bearer_token_invalid_format():
+def test_extract_bearer_token_invalid_format(context):
+    context.function_name = "SearchDocumentReferencesFHIR"
     event = {"headers": {"Authorization": "Token valid-token"}}
 
     with pytest.raises(DocumentRefSearchException) as e:
-        extract_bearer_token(event)
+        extract_bearer_token(event, context)
 
     assert e.value.status_code == 401
 
 
-def test_extract_bearer_token_missing():
+def test_extract_bearer_token_missing(context):
+    context.function_name = "SearchDocumentReferencesFHIR"
     event = {"headers": {}}
 
     with pytest.raises(DocumentRefSearchException) as e:
-        extract_bearer_token(event)
+        extract_bearer_token(event, context)
 
     assert e.value.status_code == 401
 

lambdas/tests/unit/handlers/test_get_fhir_document_reference_handler.py

@@ -5,7 +5,6 @@
 from enums.lambda_error import LambdaError
 from enums.snomed_codes import SnomedCodes
 from handlers.get_fhir_document_reference_handler import (
-    extract_bearer_token,
     extract_document_parameters,
     get_id_and_snomed_from_path_parameters,
     lambda_handler,
@@ -15,6 +14,7 @@
 from tests.unit.conftest import TEST_UUID
 from tests.unit.helpers.data.dynamo.dynamo_responses import MOCK_SEARCH_RESPONSE
 from utils.exceptions import OidcApiException
+from utils.lambda_handler_utils import extract_bearer_token
 from utils.lambda_exceptions import (
     GetFhirDocumentReferenceException,
     SearchPatientException,
@@ -30,6 +30,33 @@
     },
     "pathParameters": {"id": f"{SNOMED_CODE}~{TEST_UUID}"},
     "body": None,
+    "requestContext": {},
+}
+
+MOCK_MTLS_VALID_EVENT = {
+    "httpMethod": "GET",
+    "headers": {},
+    "pathParameters": {"id": f"{SNOMED_CODE}~{TEST_UUID}"},
+    "body": None,
+    "requestContext": {
+        "accountId": "123456789012",
+        "apiId": "abc123",
+        "domainName": "api.example.com",
+        "identity": {
+            "sourceIp": "1.2.3.4",
+            "userAgent": "curl/7.64.1",
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----...",
+                "subjectDN": "CN=ndrclient.main.int.pdm.national.nhs.uk,O=NHS,C=UK",
+                "issuerDN": "CN=NHS Root CA,O=NHS,C=UK",
+                "serialNumber": "12:34:56",
+                "validity": {
+                    "notBefore": "May 10 00:00:00 2024 GMT",
+                    "notAfter": "May 10 00:00:00 2025 GMT",
+                },
+            },
+        },
+    },
 }
 
 MOCK_INVALID_EVENT_ID_MALFORMED = deepcopy(MOCK_CIS2_VALID_EVENT)
@@ -144,15 +171,45 @@ def test_lambda_handler_happy_path_with_application_login(
     )
 
 
-def test_extract_bearer_token():
-    token = extract_bearer_token(MOCK_CIS2_VALID_EVENT)
+def test_lambda_handler_happy_path_with_mtls_pdm_login(
+    set_env,
+    mock_document_service,
+    mock_search_patient_service,
+    context,
+):
+    mock_document_service.create_document_reference_fhir_response.return_value = (
+        "test_document_reference"
+    )
+
+    response = lambda_handler(MOCK_MTLS_VALID_EVENT, context)
+
+    assert response["statusCode"] == 200
+    assert response["body"] == "test_document_reference"
+    # Verify correct method calls
+    mock_document_service.handle_get_document_reference_request.assert_called_once_with(
+        SNOMED_CODE, TEST_UUID
+    )
+    mock_document_service.create_document_reference_fhir_response.assert_called_once_with(
+        MOCK_DOCUMENT_REFERENCE
+    )
+
+
+def test_extract_bearer_token(context):
+    context.function_name = "GetDocumentReference"
+    token = extract_bearer_token(MOCK_CIS2_VALID_EVENT, context)
     assert token == f"Bearer {TEST_UUID}"
 
 
-def test_extract_missing_bearer_token():
+def test_extract_bearer_token_when_pdm(context):
+    token = extract_bearer_token(MOCK_MTLS_VALID_EVENT, context)
+    assert token is None
+
+
+def test_extract_missing_bearer_token(context):
+    context.function_name = "GetDocumentReference"
     event_without_auth = {"headers": {}}
     with pytest.raises(GetFhirDocumentReferenceException) as e:
-        extract_bearer_token(event_without_auth)
+        extract_bearer_token(event_without_auth, context)
     assert e.value.status_code == 401
     assert e.value.error == LambdaError.DocumentReferenceUnauthorised
 
@@ -163,6 +220,12 @@ def test_extract_document_parameters_valid():
     assert snomed_code == SNOMED_CODE
 
 
+def test_extract_document_parameters_valid_pdm():
+    document_id, snomed_code = extract_document_parameters(MOCK_MTLS_VALID_EVENT)
+    assert document_id == TEST_UUID
+    assert snomed_code == SNOMED_CODE
+
+
 def test_extract_document_parameters_invalid():
     with pytest.raises(GetFhirDocumentReferenceException) as e:
         extract_document_parameters(MOCK_INVALID_EVENT_ID_MALFORMED)

lambdas/tests/unit/utils/test_lambda_handler_utils.py

@@ -0,0 +1,110 @@
+import pytest
+from enums.lambda_error import LambdaError
+from tests.unit.conftest import TEST_UUID
+
+from enums.snomed_codes import SnomedCodes
+from utils.lambda_handler_utils import extract_bearer_token
+from utils.lambda_exceptions import (
+    GetFhirDocumentReferenceException,
+    DocumentRefSearchException,
+    DocumentRefException,
+)
+
+LG_SNOMED_CODE = SnomedCodes.LLOYD_GEORGE.value.code
+PDM_SNOMED_CODE = SnomedCodes.PATIENT_DATA.value.code
+
+MOCK_CIS2_VALID_EVENT = {
+    "httpMethod": "GET",
+    "headers": {
+        "Authorization": f"Bearer {TEST_UUID}",
+        "cis2-urid": TEST_UUID,
+    },
+    "pathParameters": {"id": f"{LG_SNOMED_CODE}~{TEST_UUID}"},
+    "body": None,
+    "requestContext": {},
+}
+
+MOCK_MTLS_VALID_EVENT = {
+    "httpMethod": "GET",
+    "headers": {},
+    "pathParameters": {"id": f"{PDM_SNOMED_CODE}~{TEST_UUID}"},
+    "body": None,
+    "requestContext": {
+        "accountId": "123456789012",
+        "apiId": "abc123",
+        "domainName": "api.example.com",
+        "identity": {
+            "sourceIp": "1.2.3.4",
+            "userAgent": "curl/7.64.1",
+            "clientCert": {
+                "clientCertPem": "-----BEGIN CERTIFICATE-----...",
+                "subjectDN": "CN=ndrclient.main.int.pdm.national.nhs.uk,O=NHS,C=UK",
+                "issuerDN": "CN=NHS Root CA,O=NHS,C=UK",
+                "serialNumber": "12:34:56",
+                "validity": {
+                    "notBefore": "May 10 00:00:00 2024 GMT",
+                    "notAfter": "May 10 00:00:00 2025 GMT",
+                },
+            },
+        },
+    },
+}
+
+
+@pytest.mark.parametrize(
+    "function_name, mock_event",
+    [
+        ("GetDocumentReference", MOCK_CIS2_VALID_EVENT),
+        ("SearchDocumentReferencesFHIR", MOCK_CIS2_VALID_EVENT),
+        ("foobar", MOCK_CIS2_VALID_EVENT),
+    ],
+)
+def test_extract_bearer_token_happy_paths(context, function_name, mock_event):
+    context.function_name = function_name
+    token = extract_bearer_token(mock_event, context)
+    assert token == f"Bearer {TEST_UUID}"
+
+
+def test_extract_bearer_token_when_pdm(context):
+    token = extract_bearer_token(MOCK_MTLS_VALID_EVENT, context)
+    assert token is None
+
+
+@pytest.mark.parametrize(
+    "function_name, error_type, headers",
+    [
+        (
+            "GetDocumentReference",
+            GetFhirDocumentReferenceException,
+            {"headers": {}},
+        ),
+        (
+            "SearchDocumentReferencesFHIR",
+            DocumentRefSearchException,
+            {"headers": {}},
+        ),
+        ("foobar", DocumentRefException, {"headers": {}}),
+        (
+            "GetDocumentReference",
+            GetFhirDocumentReferenceException,
+            {"headers": {"Authorization": "foo bar"}},
+        ),
+        (
+            "SearchDocumentReferencesFHIR",
+            DocumentRefSearchException,
+            {"headers": {"Authorization": "foo bar"}},
+        ),
+        (
+            "foobar",
+            DocumentRefException,
+            {"headers": {"Authorization": "foo bar"}},
+        ),
+    ],
+)
+def test_extract_problem_bearer_token(context, function_name, error_type, headers):
+    context.function_name = function_name
+    event_without_auth = headers
+    with pytest.raises(error_type) as e:
+        extract_bearer_token(event_without_auth, context)
+    assert e.value.status_code == 401
+    assert e.value.error == LambdaError.DocumentReferenceUnauthorised