NPA-4599: Block resources rather than specify only valid resources

Author: ellie-bound1-NHSD

proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py

@@ -4,6 +4,9 @@
 requested_endpoint = (path_suffix, request_verb)
 
 
-auth_permitted = requested_endpoint in [("/FHIR/R4/Consent", "GET")]
+auth_forbidden = requested_endpoint in [
+    ("/FHIR/R4/RelatedPerson", "GET"),
+    ("/FHIR/R4/QuestionnaireResponse", "POST"),
+]
 
-flow.setVariable("app_auth_permitted", auth_permitted)
+flow.setVariable("app_auth_forbidden", auth_forbidden)

proxies/live/apiproxy/resources/py/check-user-enabled-endpoint.py

@@ -0,0 +1,16 @@
+auth_level = flow.getVariable("accesstoken.auth_level")
+path_suffix = flow.getVariable("proxy.pathsuffix")
+request_verb = flow.getVariable("request.verb")
+
+requested_resource = (path_suffix, request_verb)
+
+if auth_level == "p9":
+    blocked_resources = [("/FHIR/R4/Consent", "POST"), ("/FHIR/R4/Consent", "PATCH")]
+elif auth_level == "all3":
+    blocked_resources = [("/FHIR/R4/QuestionnaireResponse", "POST")]
+else:
+    blocked_resources = []
+
+auth_forbidden = requested_resource in blocked_resources
+
+flow.setVariable("user_auth_forbidden", auth_forbidden)

proxies/live/apiproxy/resources/py/user-enabled-endpoint.py

@@ -31,7 +31,7 @@
                 </Step>
                 <Step>
                     <Name>RaiseFault.403Forbidden</Name>
-                    <Condition>app_auth_permitted != true</Condition>
+                    <Condition>app_auth_forbidden = true</Condition>
                 </Step>
                 <Step>
                     <Name>AddUserAuthHeaders</Name>
@@ -46,7 +46,7 @@
                 </Step>
                 <Step>
                     <Name>RaiseFault.403Forbidden</Name>
-                    <Condition>user_auth_permitted != true</Condition>
+                    <Condition>user_auth_forbidden = true</Condition>
                 </Step>
                 <Step>
                     <Name>DecodeAccessTokenJWT</Name>