Merge pull request #167 from NHSDigital/dev/NPA-4599/Add-App-Restricted-Authentication

ellie-bound1-NHSD · web-flow · commit 2dc8d18fca98 · 2025-04-03T14:23:44.000+01:00
NPA-4599: Added App Restricted Authentication
diff --git a/.flake8 b/.flake8
@@ -1,3 +1,4 @@
 [flake8]
 max-line-length=120
+per-file-ignores=proxies/live/apiproxy/resources/*:F821
 exclude = .git,__pycache__,dist,.venv/*,node_modules/*,utils/*,tests/.venv/*
diff --git a/manifest_template.yml b/manifest_template.yml
@@ -94,6 +94,7 @@ apigee:
         scopes: # Step 1: Configured product to include scopes
           - 'urn:nhsd:apim:user-nhs-login:P9:{{ SERVICE_NAME }}'
           - 'urn:nhsd:apim:user-nhs-id:aal3:{{ SERVICE_NAME }}'
+          - 'urn:nhsd:apim:app:level3:{{ SERVICE_NAME }}'
     specs:
       - name: {{ NAME }}
         path: {{ SERVICE_NAME }}.json
diff --git a/proxies/live/apiproxy/policies/AssignMessage.AddAuthHeaders.xml b/proxies/live/apiproxy/policies/AssignMessage.AddAuthHeaders.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<AssignMessage async="false" continueOnError="false" enabled="true" name="AddUserAuthHeaders">
-    <DisplayName>Add User Auth Headers</DisplayName>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AddAuthHeaders">
+    <DisplayName>AddAuthHeaders</DisplayName>
     <Add>
         <Headers>
             <Header name="accesstoken.auth_level">{toUpperCase(accesstoken.auth_level)}</Header>
diff --git a/proxies/live/apiproxy/policies/CheckAppEnabledEndpoint.xml b/proxies/live/apiproxy/policies/CheckAppEnabledEndpoint.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Script async="false" continueOnError="false" enabled="true" name="CheckAppEnabledEndpoint">
+    <DisplayName>CheckAppEnabledEndpoint</DisplayName>
+    <Properties/>
+    <ResourceURL>py://check-app-enabled-endpoint.py</ResourceURL>
+</Script>
diff --git a/proxies/live/apiproxy/policies/CheckUserEnabledEndpoint.xml b/proxies/live/apiproxy/policies/CheckUserEnabledEndpoint.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Script async="false" continueOnError="false" enabled="true" name="CheckUserEnabledEndpoint">
+    <DisplayName>CheckUserEnabledEndpoint</DisplayName>
+    <Properties/>
+    <ResourceURL>py://check-user-enabled-endpoint.py</ResourceURL>
+</Script>
diff --git a/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml b/proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml
@@ -1,5 +1,5 @@
 <!--Step 2: Adding VerifyAccessToken policy to your proxy-->
 <OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUser">
   <Operation>VerifyAccessToken</Operation>
-  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
+  <Scopes>urn:nhsd:apim:app:level3:validated-relationships-service-api urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
 </OAuthV2>
diff --git a/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py
@@ -0,0 +1,12 @@
+path_suffix = flow.getVariable("proxy.pathsuffix").lower()
+request_verb = flow.getVariable("request.verb").lower()
+
+requested_endpoint = (path_suffix, request_verb)
+
+
+auth_forbidden = requested_endpoint in [
+    ("/fhir/r4/relatedperson", "get"),
+    ("/fhir/r4/questionnaireresponse", "post"),
+]
+
+flow.setVariable("app_auth_forbidden", auth_forbidden)
diff --git a/proxies/live/apiproxy/resources/py/check-user-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-user-enabled-endpoint.py
@@ -0,0 +1,16 @@
+auth_level = flow.getVariable("accesstoken.auth_level").lower()
+path_suffix = flow.getVariable("proxy.pathsuffix").lower()
+request_verb = flow.getVariable("request.verb").lower()
+
+requested_resource = (path_suffix, request_verb)
+
+if auth_level == "p9":
+    blocked_resources = [("/fhir/r4/consent", "post"), ("/fhir/r4/consent", "patch")]
+elif auth_level == "all3":
+    blocked_resources = [("/fhir/r4/questionnaireresponse", "post")]
+else:
+    blocked_resources = []
+
+auth_forbidden = requested_resource in blocked_resources
+
+flow.setVariable("user_auth_forbidden", auth_forbidden)
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -14,20 +14,6 @@
             <Step>
                 <Name>AddProxyURL</Name>
             </Step>
-            <Step>
-                <Name>DecodeAccessTokenJWT</Name>
-            </Step>
-            <Step>
-                <Name>AddUserAuthHeaders</Name>
-            </Step>
-            <Step>
-                <Name>RaiseFault.403Forbidden</Name>
-                <Condition>accesstoken.auth_level != "aal3" and proxy.pathsuffix = "/FHIR/R4/Consent" and request.verb = "POST"</Condition>
-            </Step>
-            <Step>
-                <Name>RaiseFault.403Forbidden</Name>
-                <Condition>accesstoken.auth_level != "p9" and (proxy.pathsuffix != "/FHIR/R4/Consent" or request.verb != "POST")</Condition>
-            </Step>
             <Step>
                 <Name>RaiseFault.415UnsupportedMediaType</Name>
                 <Condition>request.verb = "POST" and request.header.Content-Type != "application/fhir+json" and request.header.Content-Type != "application/fhir+json; charset=utf-8"</Condition>
@@ -37,6 +23,42 @@
             </Step>
         </Request>
     </PreFlow>
+    <Flows>
+        <Flow name="App Restricted">
+            <Condition>accesstoken.auth_type = "app"</Condition>
+            <Request>
+                <Step>
+                    <Name>CheckAppEnabledEndpoint</Name>
+                </Step>
+                <Step>
+                    <Name>RaiseFault.403Forbidden</Name>
+                    <Condition>app_auth_forbidden = true</Condition>
+                </Step>
+                <Step>
+                    <Name>AddAuthHeaders</Name>
+                </Step>
+            </Request>
+        </Flow>
+        <Flow name ="User Restricted">
+            <Condition>accesstoken.auth_type = "user"</Condition>
+            <Request>
+                <Step>
+                    <Name>CheckUserEnabledEndpoint</Name>
+                </Step>
+                <Step>
+                    <Name>RaiseFault.403Forbidden</Name>
+                    <Condition>user_auth_forbidden = true</Condition>
+                </Step>
+                <Step>
+                    <Name>DecodeAccessTokenJWT</Name>
+                </Step>
+                <Step>
+                    <Name>AddAuthHeaders</Name>
+                </Step>
+            </Request>
+        </Flow>
+    </Flows>
+
     <PostFlow>
         <Response>
             <Step>
