NPA-4591: New OAuthV2 policy for CIS2 AAL3 scope conditionally applied in Target PreFlow

Author: ellie-bound1-NHSD

manifest_template.yml

@@ -91,8 +91,9 @@ apigee:
 {% if ENV.has_mock_auth | default(false) %}
           - identity-service-mock-{{ ENV.name }}
 {% endif %}
-        scopes:
+        scopes: # Step 1: Configured product to include scopes
           - 'urn:nhsd:apim:user-nhs-login:P9:{{ SERVICE_NAME }}'
+          - 'urn:nhsd:apim:user-nhs-id:aal3:{{ SERVICE_NAME }}'
     specs:
       - name: {{ NAME }}
         path: {{ SERVICE_NAME }}.json

proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserCIS2AAL3.xml

@@ -0,0 +1,5 @@
+<!--Step 2: Adding VerifyAccessToken policy to your proxy-->
+<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUserCIS2AAL3">
+  <Operation>VerifyAccessToken</Operation>
+  <Scopes>urn:nhsd:apim:user-nhs-id:aal3:validated-relationships-service-api</Scopes>
+</OAuthV2>

proxies/live/apiproxy/targets/target.xml

@@ -2,9 +2,15 @@
 <TargetEndpoint name="validated-relationships-service-api-target">
     <PreFlow>
         <Request>
+        <!--Step 3: Configuring the VerifyAccessToken policy to restrict access-->
             <Step>
+                <Condition>(proxy.pathsuffix ne "/Consent") or (request.verb != "POST")</Condition>
                 <Name>VerifyAccessTokenUserNhsLoginP9</Name>
             </Step>
+            <Step>
+                <Condition>(proxy.pathsuffix MatchesPath "/Consent") and (request.verb = "POST")</Condition>
+                <Name>VerifyAccessTokenUserCIS2AAL3</Name>
+            </Step>
             <Step>
                 <Name>FlowCallout.ApplyRateLimiting</Name>
             </Step>