NPA-4599: Add 2 new flows for user and app restricted requests

ellie-bound1-NHSD · ellie-bound1-NHSD · commit 87e0cb84aec9 · 2025-04-01T14:47:50.000+01:00
diff --git a/.flake8 b/.flake8
@@ -1,3 +1,4 @@
 [flake8]
 max-line-length=120
+per-file-ignores=proxies/live/apiproxy/resources/*:F821
 exclude = .git,__pycache__,dist,.venv/*,node_modules/*,utils/*,tests/.venv/*
diff --git a/proxies/live/apiproxy/policies/CheckAppEnabledEndpoint.xml b/proxies/live/apiproxy/policies/CheckAppEnabledEndpoint.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Script async="false" continueOnError="false" enabled="true" name="CheckAppEnabledEndpoint">
+    <DisplayName>CheckAppEnabledEndpoint</DisplayName>
+    <Properties/>
+    <ResourceURL>py://check-app-enabled-endpoint.py</ResourceURL>
+</Script>
diff --git a/proxies/live/apiproxy/policies/CheckUserEnabledEndpoint.xml b/proxies/live/apiproxy/policies/CheckUserEnabledEndpoint.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Script async="false" continueOnError="false" enabled="true" name="CheckUserEnabledEndpoint">
+    <DisplayName>CheckUserEnabledEndpoint</DisplayName>
+    <Properties/>
+    <ResourceURL>py://check-user-enabled-endpoint.py</ResourceURL>
+</Script>
diff --git a/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py
@@ -0,0 +1,9 @@
+path_suffix = flow.getVariable("proxy.pathsuffix")
+request_verb = flow.getVariable("request.verb")
+
+requested_endpoint = (path_suffix, request_verb)
+
+
+auth_permitted = requested_endpoint in [("/FHIR/R4/Consent", "GET")]
+
+flow.setVariable("app_auth_permitted", auth_permitted)
diff --git a/proxies/live/apiproxy/resources/py/user-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/user-enabled-endpoint.py
@@ -0,0 +1,27 @@
+auth_level = flow.getVariable("accesstoken.auth_level")
+path_suffix = flow.getVariable("proxy.pathsuffix")
+request_verb = flow.getVariable("request.verb")
+
+requested_endpoint = (path_suffix, request_verb)
+
+if auth_level == "p9":
+    auth_permitted = requested_endpoint in [
+        ("/FHIR/R4/RelatedPerson", "GET"),
+        ("/FHIR/R4/QuestionnaireResponse", "POST"),
+        ("/FHIR/R4/QuestionnaireResponse", "GET"),
+        ("/FHIR/R4/Consent", "GET"),
+        ("/FHIR/R4/Consent", "PATCH"),
+    ]
+elif auth_level == "all3":
+    auth_permitted = requested_endpoint in [
+        ("/FHIR/R4/RelatedPerson", "GET"),
+        ("/FHIR/R4/Questionnaire", "GET"),
+        ("/FHIR/R4/QuestionnaireResponse", "GET"),
+        ("/FHIR/R4/Consent", "GET"),
+        ("/FHIR/R4/Consent", "POST"),
+        ("/FHIR/R4/Consent", "PATCH"),
+    ]
+else:
+    auth_permitted = False
+
+flow.setVariable("user_auth_permitted", auth_permitted)
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -15,28 +15,50 @@
                 <Name>AddProxyURL</Name>
             </Step>
             <Step>
-                <Name>DecodeAccessTokenJWT</Name>
-            </Step>
-            <Step>
-                <Name>AddUserAuthHeaders</Name>
-            </Step>
-            <Step>
-                <Name>RaiseFault.403Forbidden</Name>
-                <Condition>accesstoken.auth_level != "aal3" and proxy.pathsuffix = "/FHIR/R4/Consent" and request.verb = "POST"</Condition>
-            </Step>
-            <Step>
-                <Name>RaiseFault.403Forbidden</Name>
-                <Condition>accesstoken.auth_level != "p9" and (proxy.pathsuffix != "/FHIR/R4/Consent" or request.verb != "POST")</Condition>
+                <Name>SetRequestAWSMimeType</Name>
             </Step>
             <Step>
                 <Name>RaiseFault.415UnsupportedMediaType</Name>
                 <Condition>request.verb = "POST" and request.header.Content-Type != "application/fhir+json" and request.header.Content-Type != "application/fhir+json; charset=utf-8"</Condition>
             </Step>
-            <Step>
-                <Name>SetRequestAWSMimeType</Name>
-            </Step>
         </Request>
     </PreFlow>
+    <Flows>
+        <Flow name="App Restricted">
+            <Request>
+                <Step>
+                    <Name>CheckAppEnabledEndpoint</Name>
+                </Step>
+                <Step>
+                    <Name>RaiseFault.403Forbidden</Name>
+                    <Condition>app_auth_permitted != true</Condition>
+                </Step>
+                <Step>
+                    <Name>AddUserAuthHeaders</Name>
+                </Step>
+            </Request>
+            <Condition>accesstoken.auth_type = "app"</Condition>
+        </Flow>
+        <Flow name ="User Restricted">
+            <Request>
+                <Step>
+                    <Name>CheckUserEnabledEndpoint</Name>
+                </Step>
+                <Step>
+                    <Name>RaiseFault.403Forbidden</Name>
+                    <Condition>user_auth_permitted != true</Condition>
+                </Step>
+                <Step>
+                    <Name>DecodeAccessTokenJWT</Name>
+                </Step>
+                <Step>
+                    <Name>AddUserAuthHeaders</Name>
+                </Step>
+            </Request>
+            <Condition>accesstoken.auth_type = "user"</Condition>
+        </Flow>
+    </Flows>
+
     <PostFlow>
         <Response>
             <Step>
