NPA-6301: Update spec and proxy to enabled app-restricted-auth for sp… (#297)

…ecific endpoints

# Pull Request

## 🧾 Ticket Link

<!-- Add the Jira ticket link here -->

https://nhsd-jira.digital.nhs.uk/browse/NPA-6301

---

## 📄 Description/Summary of Changes

<!-- Describe the changes made in this PR. Include the
purpose/scope/impact of the changes -->

- Updated Spec to let consumers know which endpoints have app restricted
auth enabled as an access mode
- Updated APIM proxy to no longer block the 4 endpoints specified in the
ticket

---

## 🧪 Developer Testing Carried Out

<!-- Describe what tests (automated/unit/manual etc.) have been done for
the ticket. Include: -->
<!-- - Any tests added/updated -->
<!-- - Evidence that each acceptance criterion from the Jira ticket is
met -->

- Test evidence attached to ticket
---

## 🧪 Reviewer Testing Required

<!-- Describe how to test the changes that have been made in the ticket.
Include: -->
<!-- - Testing environment details (e.g. sandbox/local setup) -->
<!-- - Steps to verify the changes -->

- [ ] <!-- Add bullet points for testing instructions -->
- [ ] <!-- Add bullet points for testing instructions -->
- [ ] <!-- Add bullet points for testing instructions -->

---

## ✅ Developer Checklist

<!-- Complete before submitting the PR -->

- [ ] PR title follows the format: `NPA-XXXX: <short-description>`
- [ ] Branch name follows the convention:
`<type>/NPA-XXXX/<short-description>`
- [ ] Commit messages follow the template: `NPA-XXXX:
<short-description>`
- [ ] All acceptance criteria from the Jira ticket are addressed
- [ ] Automated tests (unit/integration/API/infrastructure etc. tests)
are added or updated
- [ ] Assignees and appropriate labels (e.g. `terraform`,
`documentation`) are added

---

## 👀 Reviewer Checklist

<!-- To be completed by the reviewer -->

- [ ] Changes meet the acceptance criteria of the Jira ticket
- [ ] Code is able to be merged (no conflicts and adheres to coding
standards)
- [ ] Sufficient test evidence is provided (manual and/or automated)
- [ ] Infrastructure/operational/build changes are validated (if
applicable)

---

## 🚀 Post-merge

<!-- Actions to complete after merging -->

After merging and deploying changes to the sandbox, Postman collection
or spec examples please run the Run Postman
collection workflow.

This will run the tests within the collection to check that the sandbox
is working as expected once deployed.

Author: ellie-bound1-NHSD

proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py

@@ -2,22 +2,14 @@
 request_verb = flow.getVariable("request.verb").lower()
 
 auth_forbidden = False
-if request_verb == "patch":
-    # Check blocked endpoint is within path suffix i.e. ignore path parameters
-    blocked_resources = ["/fhir/r4/consent"]
-    for blocked_resource in blocked_resources:
-        if blocked_resource in path_suffix:
-            auth_forbidden = True
-else:
-    # Check blocked endpoint is equal to path suffix
-    requested_resource = (path_suffix, request_verb)
-    blocked_resources = [
-        ("/fhir/r4/relatedperson", "get"),
-        ("/fhir/r4/questionnaire", "get"),
-        ("/fhir/r4/questionnaireresponse", "post"),
-        ("/fhir/r4/questionnaireresponse", "get"),
-        ("/fhir/r4/consent", "post"),
-    ]
-    auth_forbidden = requested_resource in blocked_resources
+
+# Check blocked endpoint is equal to path suffix
+requested_resource = (path_suffix, request_verb)
+blocked_resources = [
+    ("/fhir/r4/relatedperson", "get"),
+    ("/fhir/r4/questionnaire", "get"),
+    ("/fhir/r4/questionnaireresponse", "post"),
+]
+auth_forbidden = requested_resource in blocked_resources
 
 flow.setVariable("app_auth_forbidden", auth_forbidden)

specification/validated-relationships-service-api.yaml

@@ -318,6 +318,7 @@ paths:
         This endpoint supports the following access modes:
         - Patient access
         - Healthcare worker access
+        - Application-restricted access
 
         ## Sandbox test scenarios
 
@@ -690,6 +691,7 @@ paths:
 
         This endpoint supports the following access modes:
         - Healthcare worker access
+        - Application-restricted access
 
         ## Sandbox test scenarios
 
@@ -831,6 +833,7 @@ paths:
 
         This endpoint supports the following access modes:
         - Healthcare worker access
+        - Application-restricted access
 
         ## Sandbox test scenarios
 
@@ -956,6 +959,7 @@ paths:
         This endpoint supports the following access modes:
         - Patient access
         - Healthcare worker access
+        - Application-restricted access
 
         ## Sandbox test scenarios
         The sandbox supports a limited number of scenarios, and does not attempt to validate requests.  The returned response is dependant on the `id` parameters.