Merge branch 'main' into AEA-6037

Author: connoravo-nhs

.devcontainer/devcontainer.json

@@ -35,7 +35,8 @@
         "timonwong.shellcheck",
         "mkhl.direnv",
         "github.vscode-github-actions",
-        "Orta.vscode-jest"
+        "Orta.vscode-jest",
+        "jebbs.plantuml"
       ],
       "settings": {
         "python.defaultInterpreterPath": "/workspaces/prescriptionsforpatients/.venv/bin/python",

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
@@ -45,7 +45,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/pull_request.yml

@@ -10,7 +10,7 @@ env:
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
@@ -34,15 +34,15 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
 
   get_issue_number:
     runs-on: ubuntu-22.04
@@ -73,7 +73,7 @@ jobs:
 
   tag_release:
     needs: [get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
@@ -42,7 +42,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@41e3450a9869f278be0e431a4b47b5c77bd55559
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@86a580e5eb38584c877ccfba5fc6f3f071faeffe
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/run_regression_tests.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Generate a token to authenticate regression testing
         id: generate-token
-        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
         with:
           app-id: ${{ vars.REGRESSION_TESTS_APP_ID }}
           private-key: ${{ secrets.REGRESSION_TESTS_PEM }}
@@ -52,7 +52,7 @@ jobs:
           asdf_version: ${{ steps.asdf-version.outputs.version }}
 
       - name: Cache asdf
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
         with:
           path: |
             ~/.asdf

.github/workflows/sam_package_code.yml

@@ -28,7 +28,7 @@ jobs:
           asdf_version: ${{ steps.asdf-version.outputs.version }}
 
       - name: Cache asdf
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb
         with:
           path: |
             ~/.asdf

docs/pfp-AEA-5947-proxy-access.puml

@@ -0,0 +1,78 @@
+@startuml
+title: AEA-5947: (TO BE) Proxy Access Flow for Get My Prescriptions
+
+participant User
+participant "NHS App" as App
+participant "NHS App Backend" as AppBackend
+participant "Apigee" as Apigee
+participant "ProxyRules" as ProxyRules
+participant "Step Functions StateMachine" as StateMachine
+participant "GetMyPrescriptions Lambda" as GmpLambda
+participant "psu Get Status Updates Lambda" as GsuLambda
+participant "EnrichPrescriptions Lambda" as EpLambda
+participant SpineClient
+participant Spine
+
+User -> App: Request
+App -> AppBackend: Request API
+AppBackend -> Apigee: Call PfP API
+Apigee -> ProxyRules: Forward request
+ProxyRules -> ProxyRules: Preflow
+note right #FF9999
+  Oauth token validation etc. is unchanged
+  NEW: Sets delegated-access.enabled and IgnoreUnresolvedVariables to true
+end note
+ProxyRules -> ProxyRules: AddPatientAccessHeader
+note right
+  Sets NHSD-NHSLogin-User to PX:JWT claim NHS number
+end note
+ProxyRules -> ProxyRules: AM-Add-Delegation-Headers
+note right #FF9999
+  NEW: Sets new headers, completely separate to NHSD-NHSLogin-User 
+end note
+ProxyRules -> ProxyRules: OverridePatientAccessHeader
+note right
+  Overwrites NHSD-NHSLogin-User with P9:request header X-NHS-NUMBER
+end note
+ProxyRules -> StateMachine: Forward request
+StateMachine -> GmpLambda: Forward request
+activate GmpLambda
+GmpLambda -> GmpLambda: adaptHeadersToSpine(headers)
+note right #FF9999
+  As well as the existing behaviour that sends spine the same values for
+  both NHSD-NHSLogin-User (actor) and nhsNumber (subject)
+  these are now separated if delegated-access.enabled is true
+end note
+GmpLambda -> SpineClient: getPrescriptions(*all* headers)
+SpineClient -> Spine: get request
+activate Spine
+Spine -> Spine: _createContext
+note right #FF9999
+  NEW: Add actor to context
+end note
+== other calls, not least the actual query ==
+Spine -> Spine: auditSarAccessRequest
+note right #FF9999
+  NEW: Add actor to SAR0001 log
+end note
+Spine -> SpineClient: Response
+deactivate Spine
+SpineClient -> GmpLambda
+GmpLambda -> StateMachine: Response
+deactivate GmpLambda
+StateMachine -> GsuLambda: Forward response
+GsuLambda -> SpineClient: getStatus(*all* headers)
+SpineClient -> Spine: get request
+Spine -> SpineClient: Response
+SpineClient -> StateMachine: Response
+GsuLambda -> StateMachine: 
+StateMachine -> EpLambda: Forward response
+EpLambda -> StateMachine: 
+StateMachine -> ProxyRules: Response
+note right #FF9999
+  NEW: This is happy path but we must add RaiseFault flow too 
+end note
+ProxyRules -> Apigee: Response
+Apigee -> App: Forward response
+App -> User: Display result
+@enduml

docs/pfp-AS-IS.puml

@@ -0,0 +1,61 @@
+@startuml
+title: AEA-5947: (AS IS) Proxy Access Flow for Get My Prescriptions
+
+participant User
+participant "NHS App" as App
+participant "NHS App Backend" as AppBackend
+participant "Apigee" as Apigee
+participant "ProxyRules" as ProxyRules
+participant "Step Functions StateMachine" as StateMachine
+participant "GetMyPrescriptions Lambda" as GmpLambda
+participant "psu Get Status Updates Lambda" as GsuLambda
+participant "EnrichPrescriptions Lambda" as EpLambda
+participant SpineClient
+participant "Spine Patient Facing Prescriptions" as Spine
+
+User -> App: Request
+App -> AppBackend: Request API
+AppBackend -> Apigee: Call PfP API
+Apigee -> ProxyRules: Forward request
+ProxyRules -> ProxyRules: Preflow
+note right
+  Includes OAuth token validation etc.
+end note
+ProxyRules -> ProxyRules: AddPatientAccessHeader
+note right
+  Sets NHSD-NHSLogin-User to PX:JWT claim NHS number
+end note
+ProxyRules -> ProxyRules: OverridePatientAccessHeader
+note right
+  Overwrites NHSD-NHSLogin-User with P9:request header X-NHS-NUMBER
+  TODO who sets X-NHS-NUMBER? Is it trusted?
+  TODO given this is within an Azure pipeline condition does it ever get called?
+end note
+ProxyRules -> StateMachine: Forward request
+StateMachine -> GmpLambda: Forward request
+activate GmpLambda
+GmpLambda -> GmpLambda: extractNHSNumber(headers["nhsd-nhslogin-user"])
+GmpLambda -> SpineClient: getPrescriptions(*all* headers)
+SpineClient -> Spine: get request
+activate Spine
+Spine -> Spine: _createContext
+== other calls, not least the actual query ==
+Spine -> Spine: auditSarAccessRequest
+Spine -> SpineClient: Response
+deactivate Spine
+SpineClient -> GmpLambda
+GmpLambda -> StateMachine: Response
+deactivate GmpLambda
+StateMachine -> GsuLambda: Forward response
+GsuLambda -> SpineClient: getStatus(*all* headers)
+SpineClient -> Spine: get request
+Spine -> SpineClient: Response
+SpineClient -> StateMachine: Response
+GsuLambda -> StateMachine: 
+StateMachine -> EpLambda: Forward response
+EpLambda -> StateMachine: 
+StateMachine -> ProxyRules: Response
+ProxyRules -> Apigee: Response
+Apigee -> App: Forward response
+App -> User: Display result
+@enduml