NPA-4599: Block resources rather than specify only valid resources

ellie-bound1-NHSD · ellie-bound1-NHSD · commit 90e874f4f03f · 2025-04-01T15:48:56.000+01:00
diff --git a/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py
@@ -4,6 +4,13 @@
 requested_endpoint = (path_suffix, request_verb)
 
 
-auth_permitted = requested_endpoint in [("/FHIR/R4/Consent", "GET")]
+auth_forbidden = requested_endpoint in [
+    ("/FHIR/R4/RelatedPerson", "GET"),
+    ("/FHIR/R4/Questionnaire", "GET"),
+    ("/FHIR/R4/QuestionnaireResponse", "POST"),
+    ("/FHIR/R4/QuestionnaireResponse", "GET"),
+    ("/FHIR/R4/Consent", "POST"),
+    ("/FHIR/R4/Consent", "PATCH"),
+]
 
-flow.setVariable("app_auth_permitted", auth_permitted)
+flow.setVariable("app_auth_forbidden", auth_forbidden)
diff --git a/proxies/live/apiproxy/resources/py/user-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/user-enabled-endpoint.py
@@ -2,26 +2,15 @@
 path_suffix = flow.getVariable("proxy.pathsuffix")
 request_verb = flow.getVariable("request.verb")
 
-requested_endpoint = (path_suffix, request_verb)
+requested_resource = (path_suffix, request_verb)
 
 if auth_level == "p9":
-    auth_permitted = requested_endpoint in [
-        ("/FHIR/R4/RelatedPerson", "GET"),
-        ("/FHIR/R4/QuestionnaireResponse", "POST"),
-        ("/FHIR/R4/QuestionnaireResponse", "GET"),
-        ("/FHIR/R4/Consent", "GET"),
-        ("/FHIR/R4/Consent", "PATCH"),
-    ]
+    blocked_resources = [("/FHIR/R4/Questionnaire", "GET"), ("/FHIR/R4/Consent", "POST")]
 elif auth_level == "all3":
-    auth_permitted = requested_endpoint in [
-        ("/FHIR/R4/RelatedPerson", "GET"),
-        ("/FHIR/R4/Questionnaire", "GET"),
-        ("/FHIR/R4/QuestionnaireResponse", "GET"),
-        ("/FHIR/R4/Consent", "GET"),
-        ("/FHIR/R4/Consent", "POST"),
-        ("/FHIR/R4/Consent", "PATCH"),
-    ]
+    blocked_resources = [("/FHIR/R4/QuestionnaireResponse", "GET")]
 else:
-    auth_permitted = False
+    blocked_resources = []
 
-flow.setVariable("user_auth_permitted", auth_permitted)
+auth_forbidden = requested_resource in blocked_resources
+
+flow.setVariable("user_auth_forbidden", auth_forbidden)
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -31,7 +31,7 @@
                 </Step>
                 <Step>
                     <Name>RaiseFault.403Forbidden</Name>
-                    <Condition>app_auth_permitted != true</Condition>
+                    <Condition>app_auth_forbidden = true</Condition>
                 </Step>
                 <Step>
                     <Name>AddUserAuthHeaders</Name>
@@ -46,7 +46,7 @@
                 </Step>
                 <Step>
                     <Name>RaiseFault.403Forbidden</Name>
-                    <Condition>user_auth_permitted != true</Condition>
+                    <Condition>user_auth_forbidden = true</Condition>
                 </Step>
                 <Step>
                     <Name>DecodeAccessTokenJWT</Name>
