[PRMT-72] Allow non-GP admittance to the NDR (#629)

Author: MohammadIqbalAD-NHS

lambdas/enums/lambda_error.py

@@ -151,13 +151,17 @@ def create_error_body(self, params: Optional[dict] = None) -> str:
         "err_code": "LIN_5008",
         "message": "SSM parameter values for PCSE user role may not exist",
     }
-    LoginGpODS = {
+    LoginGpOrgRoleCode = {
         "err_code": "LIN_5009",
-        "message": "SSM parameter values for GP organisation role code may not exist",
+        "message": "SSM parameter value for GP organisation role code may not exist",
     }
-    LoginPcseODS = {
+    LoginPcseOdsCode = {
         "err_code": "LIN_5010",
-        "message": "SSM parameter values for PSCE ODS code may not exist",
+        "message": "SSM parameter value for PCSE ODS code may not exist",
+    }
+    LoginItocOdsCodes = {
+        "err_code": "LIN_5011",
+        "message": "SSM parameter value for ITOC ODS code may not exist",
     }
 
     """

lambdas/services/login_service.py

@@ -170,25 +170,19 @@ def generate_repository_role(self, organisation: dict, smartcard_role: str):
             in self.token_handler_ssm_service.get_smartcard_role_gp_admin()
         ):
             logger.info("GP Admin: smartcard ODS identified")
-            if self.has_role_org_role_code(
-                organisation, self.token_handler_ssm_service.get_org_role_codes()[0]
-            ):
-                return RepositoryRole.GP_ADMIN
+            return RepositoryRole.GP_ADMIN
 
         if (
             smartcard_role
             in self.token_handler_ssm_service.get_smartcard_role_gp_clinical()
         ):
             logger.info("GP Clinical: smartcard ODS identified")
-            if self.has_role_org_role_code(
-                organisation, self.token_handler_ssm_service.get_org_role_codes()[0]
-            ):
-                return RepositoryRole.GP_CLINICAL
+            return RepositoryRole.GP_CLINICAL
 
         if smartcard_role in self.token_handler_ssm_service.get_smartcard_role_pcse():
             logger.info("PCSE: smartcard ODS identified")
-            if self.has_role_org_ods_code(
-                organisation, self.token_handler_ssm_service.get_org_ods_codes()[0]
+            if self.has_pcse_org_ods_code(
+                organisation, self.token_handler_ssm_service.get_pcse_ods_code()
             ):
                 return RepositoryRole.PCSE
 
@@ -201,16 +195,8 @@ def generate_repository_role(self, organisation: dict, smartcard_role: str):
         )
 
     @staticmethod
-    def has_role_org_role_code(organisation: dict, role_code: str) -> bool:
-        if organisation["role_code"].upper() == role_code.upper():
-            return True
-        return False
-
-    @staticmethod
-    def has_role_org_ods_code(organisation: dict, ods_code: str) -> bool:
-        if organisation["org_ods_code"].upper() == ods_code.upper():
-            return True
-        return False
+    def has_pcse_org_ods_code(organisation: dict, ods_code: str) -> bool:
+        return organisation["org_ods_code"].upper() == ods_code.upper()
 
     def issue_auth_token(
         self,

lambdas/services/ods_api_service.py

@@ -1,18 +1,23 @@
-from typing import Dict, List, NamedTuple
+from typing import Any, Dict, List, NamedTuple, Optional
 
 import requests
+from enums.lambda_error import LambdaError
 from enums.repository_role import OrganisationRelationship
+from services.base.ssm_service import SSMService
 from services.token_handler_ssm_service import TokenHandlerSSMService
 from utils.audit_logging_setup import LoggingService
+from utils.constants.ssm import GP_ORG_ROLE_CODE
 from utils.exceptions import (
     OdsErrorException,
     OrganisationNotFoundException,
     TooManyOrgsException,
 )
+from utils.lambda_exceptions import LoginException
 
 logger = LoggingService(__name__)
 
 token_handler_ssm_service = TokenHandlerSSMService()
+ssm_service = SSMService()
 
 
 class Organisation(NamedTuple):
@@ -51,32 +56,53 @@ def fetch_organisation_with_permitted_role(self, ods_code_list: list[str]) -> Di
         ods_code = ods_code_list[0]
         logger.info(f"ods_code selected: {ods_code}")
 
+        itoc_ods_codes = token_handler_ssm_service.get_itoc_ods_codes()
+
+        if ods_code in itoc_ods_codes:
+            logger.info(f"ODS code {ods_code} is ITOC, returning org data")
+            return parse_ods_response({}, "", "ITOC")
+
         org_data = self.fetch_organisation_data(ods_code)
 
         logger.info(f"Org Data: {org_data}")
 
-        pcse_ods = find_and_get_pcse_ods(ods_code)
+        gp_org_role_code = get_user_gp_org_role_code(org_data)
+
+        if gp_org_role_code is not None:
+            logger.info(f"ODS code {ods_code} is a GP, returning org data")
+            icb_ods_code = find_icb_for_user(org_data["Organisation"])
+            response = parse_ods_response(org_data, gp_org_role_code, icb_ods_code)
+            return response
+
+        pcse_ods_code = token_handler_ssm_service.get_pcse_ods_code()
 
-        if pcse_ods is not None:
+        if ods_code == pcse_ods_code:
             logger.info(f"ODS code {ods_code} is PCSE, returning org data")
             response = parse_ods_response(org_data, "", "PCSE")
             return response
 
-        gpp_org = find_and_get_gpp_org_code(org_data)
+        allowed_ods_code_list = (
+            token_handler_ssm_service.get_allowed_list_of_ods_codes()
+        )
 
-        if gpp_org is not None:
-            logger.info(f"ODS code {ods_code} is a GPP, returning org data")
+        if ods_code in allowed_ods_code_list:
+            logger.info(f"ODS code {ods_code} is in allowed list, returning org data")
             icb_ods_code = find_icb_for_user(org_data["Organisation"])
-            response = parse_ods_response(org_data, gpp_org, icb_ods_code)
+            primary_org_role_code = get_user_primary_org_role_code(org_data)
+            response = parse_ods_response(org_data, primary_org_role_code, icb_ods_code)
             return response
 
-        logger.info(f"ODS code {ods_code} is not a GPP or PCSE, returning empty list")
+        logger.info(
+            f"ODS code {ods_code} is not a GP, PCSE, ITOC nor in allowed list, returning empty list"
+        )
         return {}
 
 
 def parse_ods_response(org_data, role_code, icb_ods_code) -> dict:
-    org_name = org_data["Organisation"]["Name"]
-    org_ods_code = org_data["Organisation"]["OrgId"]["extension"]
+    org_name = org_data.get("Organisation", {}).get("Name", "")
+    org_ods_code = (
+        org_data.get("Organisation", {}).get("OrgId", {}).get("extension", "")
+    )
 
     response_dictionary = {
         "name": org_name,
@@ -89,25 +115,36 @@ def parse_ods_response(org_data, role_code, icb_ods_code) -> dict:
     return response_dictionary
 
 
-def find_and_get_gpp_org_code(org_details):
-    logger.info("Checking GPP Roles")
-    json_roles: List[Dict] = org_details["Organisation"]["Roles"]["Role"]
+def get_user_gp_org_role_code(org_data: Dict[str, Any]) -> Optional[str]:
+    logger.info("starting ssm request to retrieve GP organisation role code")
+    gp_org_role_code = ssm_service.get_ssm_parameter(GP_ORG_ROLE_CODE)
 
-    org_role_codes = token_handler_ssm_service.get_org_role_codes()
-    for json_role in json_roles:
-        if json_role["id"] in org_role_codes:
-            return json_role["id"]
-    return None
+    if gp_org_role_code:
+        logger.info("Checking if GP organisation role is present")
+        json_roles: List[Dict] = org_data["Organisation"]["Roles"]["Role"]
+        for json_role in json_roles:
+            if json_role["id"] == gp_org_role_code:
+                return json_role["id"]
+        return None
+
+    logger.error(
+        LambdaError.LoginGpOrgRoleCode.to_str(),
+        {"Result": "Unsuccessful login"},
+    )
+    raise LoginException(500, LambdaError.LoginGpOrgRoleCode)
 
 
-def find_and_get_pcse_ods(ods_code):
-    logger.info("Checking PCSE Roles")
-    if ods_code == token_handler_ssm_service.get_org_ods_codes()[0]:
-        return ods_code
-    return None
+def get_user_primary_org_role_code(org_data: Dict[str, Any]) -> str:
+    logger.info("Checking if a primary organisation role is present")
+    json_roles: List[Dict] = org_data["Organisation"]["Roles"]["Role"]
+
+    for json_role in json_roles:
+        if "primaryRole" in json_role:
+            return json_role["id"]
+    return ""
 
 
-def find_icb_for_user(org_data):
+def find_icb_for_user(org_data: Dict[str, Any]) -> str:
     logger.info("Checking relationships")
     try:
         relationships: List[Dict] = org_data["Rels"]["Rel"]

lambdas/services/token_handler_ssm_service.py

@@ -2,9 +2,11 @@
 from services.base.ssm_service import SSMService
 from utils.audit_logging_setup import LoggingService
 from utils.constants.ssm import (
+    ALLOWED_ODS_CODES_LIST,
     GP_ADMIN_USER_ROLE_CODES,
     GP_CLINICAL_USER_ROLE_CODE,
     GP_ORG_ROLE_CODE,
+    ITOC_ODS_CODES,
     PCSE_ODS_CODE,
     PCSE_USER_ROLE_CODE,
 )
@@ -93,40 +95,53 @@ def get_smartcard_role_pcse(self) -> list[str]:
         response = values.split(",")
         return response
 
-    def get_org_role_codes(self) -> list[str]:
-        logger.info("starting ssm request to retrieve required org roles codes")
-        params = self.get_ssm_parameters(
-            [
-                GP_ORG_ROLE_CODE,
-            ]
+    def get_gp_org_role_code(self) -> str:
+        logger.info("starting ssm request to retrieve GP organisation role code")
+        response = self.get_ssm_parameter(GP_ORG_ROLE_CODE)
+
+        if response:
+            return response
+
+        logger.error(
+            LambdaError.LoginGpOrgRoleCode.to_str(),
+            {"Result": "Unsuccessful login"},
         )
-        response = [params.get(GP_ORG_ROLE_CODE)]
-        if None in response:
-            logger.error(
-                LambdaError.LoginGpODS.to_str(),
-                {"Result": "Unsuccessful login"},
-            )
-            raise LoginException(500, LambdaError.LoginGpODS)
-        return response
+        raise LoginException(500, LambdaError.LoginGpOrgRoleCode)
 
-    def get_org_ods_codes(self) -> list[str]:
-        logger.info("starting ssm request to retrieve required org ods codes")
-        params = self.get_ssm_parameters(
-            [
-                PCSE_ODS_CODE,
-            ]
+    def get_pcse_ods_code(self) -> str:
+        logger.info("starting ssm request to retrieve PCSE ODS code")
+        response = self.get_ssm_parameter(PCSE_ODS_CODE)
+
+        if response:
+            return response
+
+        logger.error(
+            LambdaError.LoginPcseOdsCode.to_str(),
+            {"Result": "Unsuccessful login"},
         )
-        response = [params.get(PCSE_ODS_CODE)]
-        if None in response:
-            logger.error(
-                LambdaError.LoginPcseODS.to_str(),
-                {"Result": "Unsuccessful login"},
-            )
-            raise LoginException(500, LambdaError.LoginPcseODS)
-        return response
+        raise LoginException(500, LambdaError.LoginPcseOdsCode)
+
+    def get_itoc_ods_codes(self) -> str:
+        logger.info("starting ssm request to retrieve ITOC ODS codes")
+        response = self.get_ssm_parameter(ITOC_ODS_CODES)
+        if response:
+            return response
+
+        logger.error(
+            LambdaError.LoginItocOdsCodes.to_str(),
+            {"Result": "Unsuccessful login"},
+        )
+        raise LoginException(500, LambdaError.LoginItocOdsCodes)
 
     def get_jwt_private_key(self) -> list[str]:
         logger.info("starting ssm request to retrieve NDR private key")
         return self.get_ssm_parameter(
             parameter_key="jwt_token_private_key", with_decryption=True
         )
+
+    def get_allowed_list_of_ods_codes(self) -> str:
+        logger.info("starting ssm request to retrieve allowed list of ODS codes")
+        response = self.get_ssm_parameter(ALLOWED_ODS_CODES_LIST)
+        if not response:
+            logger.warning("No ODS codes found in allowed list")
+        return response

lambdas/tests/unit/services/test_login_service.py

@@ -248,7 +248,7 @@ def test_generate_repository_role_gp_admin(set_env, mocker):
         return_value=[user_role_code],
     )
     mocker.patch.object(
-        TokenHandlerSSMService, "get_org_role_codes", return_value=[org_role_code]
+        TokenHandlerSSMService, "get_gp_org_role_code", return_value=org_role_code
     )
 
     login_service = LoginService()
@@ -276,7 +276,7 @@ def test_generate_repository_role_gp_clinical(set_env, mocker):
         return_value=[user_role_code],
     )
     mocker.patch.object(
-        TokenHandlerSSMService, "get_org_role_codes", return_value=[org_role_code]
+        TokenHandlerSSMService, "get_gp_org_role_code", return_value=org_role_code
     )
 
     login_service = LoginService()
@@ -307,7 +307,7 @@ def test_generate_repository_role_pcse(set_env, mocker):
         TokenHandlerSSMService, "get_smartcard_role_pcse", return_value=user_role_code
     )
     mocker.patch.object(
-        TokenHandlerSSMService, "get_org_ods_codes", return_value=[ods_code]
+        TokenHandlerSSMService, "get_pcse_ods_code", return_value=ods_code
     )
 
     login_service = LoginService()