NPA-4591: Add raise fault step for wrong auth level

Author: ellie-bound1-NHSD

…thV2.VerifyAccessTokenUserNhsLoginP9.xml …licies/OAuthV2.VerifyAccessTokenUser.xmlproxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserNhsLoginP9.xml renamed to proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserNhsLoginP9.xml renamed to proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUser.xml

@@ -1,4 +1,5 @@
-<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUserNhsLoginP9">
+<!--Step 2: Adding VerifyAccessToken policy to your proxy-->
+<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUser">
   <Operation>VerifyAccessToken</Operation>
-  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api</Scopes>
+  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
 </OAuthV2>

proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserCIS2AAL3.xml

@@ -2,14 +2,8 @@
 <TargetEndpoint name="validated-relationships-service-api-target">
     <PreFlow>
         <Request>
-        <!--Step 3: Configuring the VerifyAccessToken policy to restrict access-->
             <Step>
-                <Condition>(proxy.pathsuffix MatchesPath "/Consent") and (request.verb = "POST")</Condition>
-                <Name>VerifyAccessTokenUserCIS2AAL3</Name>
-            </Step>
-            <Step>
-                <Condition>(proxy.pathsuffix != "/Consent") or (request.verb != "POST")</Condition>
-                <Name>VerifyAccessTokenUserNhsLoginP9</Name>
+                <Name>VerifyAccessTokenUser</Name>
             </Step>
             <Step>
                 <Name>FlowCallout.ApplyRateLimiting</Name>
@@ -26,6 +20,14 @@
             <Step>
                 <Name>AddUserAuthHeaders</Name>
             </Step>
+            <Step>
+                <Name>RaiseFault.401Unauthorized</Name>
+                <Condition>accesstoken.auth_level != "aal3" and proxy.pathsuffix = "/FHIR/R4/Consent" and request.verb = "POST"</Condition>
+            </Step>
+            <Step>
+                <Name>RaiseFault.401Unauthorized</Name>
+                <Condition>accesstoken.auth_level != "p9" and (proxy.pathsuffix != "/FHIR/R4/Consent" or request.verb != "POST")</Condition>
+            </Step>
             <Step>
                 <Name>RaiseFault.415UnsupportedMediaType</Name>
                 <Condition>request.verb = "POST" and request.header.Content-Type != "application/fhir+json" and request.header.Content-Type != "application/fhir+json; charset=utf-8"</Condition>