Merge branch 'master' into dev/NPA-1711_add_format_to_search_params

.github/workflows/pr-lint.yaml

@@ -5,24 +5,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check ticket name conforms to requirements
-        run: echo ${{ github.event.pull_request.head.ref }} | grep -i -E -q "(apm-[0-9]+)|(apmspii-[0-9]+)|(adz-[0-9]+)|(amb-[0-9]+)|(dependabot\/)"
+        run: echo ${{ github.event.pull_request.head.ref }} | grep -i -E -q "(npa-[0-9]+)|(dependabot\/)"
         continue-on-error: true
 
       - name: Grab ticket name
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'apmspii-') || contains(github.event.pull_request.head.ref, 'APMSPII-') || contains(github.event.pull_request.head.ref, 'adz-') || contains(github.event.pull_request.head.ref, 'ADZ-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
-        run: echo ::set-env name=TICKET_NAME::$(echo ${{ github.event.pull_request.head.ref }} | grep -i -o '\(apm-[0-9]\+\)\|\(apmspii-[0-9]\+\)\|\(adz-[0-9]\+\)|\(amb-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')
+        if: contains(github.event.pull_request.head.ref, 'npa-') || contains(github.event.pull_request.head.ref, 'NPA-')
+        run: echo ::set-env name=TICKET_NAME::$(echo ${{ github.event.pull_request.head.ref }} | grep -i -o '\(npa-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')
         continue-on-error: true
         env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: true
 
       - name: Comment on PR with link to JIRA ticket
-        if: contains(github.event.pull_request.head.ref, 'apm-') || contains(github.event.pull_request.head.ref, 'APM-') || contains(github.event.pull_request.head.ref, 'apmspii-') || contains(github.event.pull_request.head.ref, 'APMSPII-') || contains(github.event.pull_request.head.ref, 'adz-') || contains(github.event.pull_request.head.ref, 'ADZ-') || contains(github.event.pull_request.head.ref, 'amb-') || contains(github.event.pull_request.head.ref, 'AMB-')
+        if: contains(github.event.pull_request.head.ref, 'npa-') || contains(github.event.pull_request.head.ref, 'NPA-')
         continue-on-error: true
         uses: unsplash/comment-on-pr@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           msg: |
-            This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:
+            This branch is work on a ticket in the NHS Digital NPA JIRA Project. Here's a handy link to the ticket:
             # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
-

README.md

@@ -4,6 +4,7 @@
 
 This is a specification for the *validated-relationships-service-api* API.
 
+
 * `specification/` This [Open API Specification](https://swagger.io/docs/specification/about/) describes the endpoints, methods and messages exchanged by the API. Use it to generate interactive documentation; the contract between the API and its consumers.
 * `sandbox/` This NodeJS application implements a mock implementation of the service. Use it as a back-end service to the interactive documentation to illustrate interactions and concepts. It is not intended to provide an exhaustive/faithful environment suitable for full development and testing.
 * `scripts/` Utilities helpful to developers of this specification.

azure/azure-release-pipeline.yml

@@ -36,37 +36,34 @@ extends:
           - template: ./templates/run-tests.yml
             parameters:
               full: true
-    #   - environment: internal-dev-sandbox
-    #     proxy_path: sandbox
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    #   - environment: internal-qa
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    #         parameters:
-    #           full: true
-    #   - environment: internal-qa-sandbox
-    #     proxy_path: sandbox
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    #   - environment: ref
-    #     depends_on:
-    #       - internal_qa
-    #       - internal_qa_sandbox
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    #   - environment: sandbox
-    #     proxy_path: sandbox
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    # # Enable int environment when ready by uncommenting:
-    #   - environment: int
-    #     depends_on:
-    #       - internal_qa
-    #       - internal_qa_sandbox
-    #     post_deploy:
-    #       - template: ./templates/run-tests.yml
-    #         parameters:
-    #           full: true
-    #           test-command: prod
-    #           smoketest-command: prod
+      - environment: internal-dev-sandbox
+        proxy_path: sandbox
+        post_deploy:
+          - template: ./templates/run-tests.yml
+      - environment: internal-qa
+        post_deploy:
+          - template: ./templates/run-tests.yml
+            parameters:
+              full: true
+      - environment: internal-qa-sandbox
+        proxy_path: sandbox
+        post_deploy:
+          - template: ./templates/run-tests.yml
+      - environment: ref
+        depends_on:
+          - internal_qa
+          - internal_qa_sandbox
+        post_deploy:
+          - template: ./templates/run-tests.yml
+      - environment: sandbox
+        proxy_path: sandbox
+        # post_deploy:
+        #   - template: ./templates/run-tests.yml
+      - environment: int
+        depends_on:
+          - internal_qa
+          - internal_qa_sandbox
+        # post_deploy:
+        #   - template: ./templates/run-tests.yml
+        #     parameters:
+        #       full: true

manifest_template.yml

@@ -1,6 +1,6 @@
 SERVICE_NAME: validated-relationships-service-api
 PRODUCT_DISPLAY_NAME: validated-relationships-service-api
-DESCRIPTION: example description
+DESCRIPTION: Validated Relationships Service API
 APIGEE_ENVIRONMENTS:
   - name: internal-dev
     display_name: Internal Development
@@ -11,22 +11,22 @@ APIGEE_ENVIRONMENTS:
   - name: ref
     display_name: Reference
     has_mock_auth: true
-# Enable environments when ready by uncommenting:
-  # - name: internal-dev-sandbox
-  #   display_name: Internal Development Sandbox
-  #   portal_visibility: false
-  # - name: internal-qa
-  #   display_name: Internal QA
-  #   has_mock_auth: true
-  #   portal_visibility: false
-  # - name: internal-qa-sandbox
-  #   display_name: Internal QA Sandbox
-  #   portal_visibility: false
-  # - name: sandbox
-  #   display_name: Sandbox
-  #   portal_visibility: false
-  # - name: int
-  #   display_name: Integration Testing
+  - name: internal-dev-sandbox
+    display_name: Internal Development Sandbox
+    portal_visibility: false
+  - name: internal-qa
+    display_name: Internal QA
+    has_mock_auth: true
+    portal_visibility: false
+  - name: internal-qa-sandbox
+    display_name: Internal QA Sandbox
+    portal_visibility: false
+  - name: sandbox
+    display_name: Sandbox
+    portal_visibility: false
+  - name: int
+    display_name: Integration Testing
+    has_mock_auth: true
 ---
 meta:
   api:
@@ -75,8 +75,7 @@ apigee:
           - identity-service-mock-{{ ENV.name }}
 {% endif %}
         scopes:
-          - 'urn:nhsd:apim:app:level3:{{ SERVICE_NAME }}'
-          - 'urn:nhsd:apim:user-nhs-cis2:aal3:{{ SERVICE_NAME }}'
+          - 'urn:nhsd:apim:user-nhs-login:P9:{{ SERVICE_NAME }}'
     specs:
       - name: {{ NAME }}
         path: {{ SERVICE_NAME }}.json

proxies/live/apiproxy/policies/AssignMessage.AddProxyURL.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AddProxyURL">
+    <DisplayName>Add Proxy URL</DisplayName>
+    <Add>
+        <Headers>
+            <Header name="Proxy-Url">{proxy.url}</Header>
+        </Headers>
+    </Add>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false" transport="http" type="request"/>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.AddUserAuthLevel.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AddUserAuthLevel">
+    <DisplayName>Add User Auth Level</DisplayName>
+    <Add>
+        <Headers>
+            <Header name="accesstoken.auth_level">{toUpperCase(accesstoken.auth_level)}</Header>
+        </Headers>
+    </Add>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false" transport="http" type="request"/>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.AddUserNHSNumber.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<AssignMessage async="false" continueOnError="false" enabled="true" name="AddUserNHSNumber">
+    <DisplayName>Add User NHS Number</DisplayName>
+    <Add>
+        <Headers>
+            <Header name="accesstoken.auth_user_id">{accesstoken.auth_user_id}</Header>
+        </Headers>
+    </Add>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+    <AssignTo createNew="false" transport="http" type="request"/>
+</AssignMessage>

proxies/live/apiproxy/policies/OAuthV2.VerifyAccessTokenUserNhsLoginP9.xml

@@ -0,0 +1,4 @@
+<OAuthV2 async="false" continueOnError="false" enabled="true" name="VerifyAccessTokenUserNhsLoginP9">
+  <Operation>VerifyAccessToken</Operation>
+  <Scopes>urn:nhsd:apim:user-nhs-login:P9:validated-relationships-service-api</Scopes>
+</OAuthV2>

proxies/live/apiproxy/policies/RaiseFault.401Unauthorized.xml

@@ -1,14 +1,43 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ This policy raises a 401 error response for an invalid or missing access token.
+
+ Raisefault policies stop the execution of the current flow and move to the error flow, which returns the error response defined here to the requesting application.
+
+ For more information on RaiseFault policies within Apigee see the following resource:
+    * https://docs.apigee.com/api-platform/reference/policies/raise-fault-policy
+-->
 <RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.401Unauthorized">
     <DisplayName>RaiseFault.401Unauthorized</DisplayName>
     <Properties/>
     <FaultResponse>
         <Set>
             <Headers/>
-            <Payload contentType="text/plain"/>
             <StatusCode>401</StatusCode>
-            <ReasonPhrase>Access Denied</ReasonPhrase>
+            <ReasonPhrase>Unauthorized</ReasonPhrase>
+            <Payload>
+                {
+                  "issue": [
+                    {
+                      "code": "forbidden",
+                      "details": {
+                        "coding": [
+                          {
+                            "code": "ACCESS_DENIED",
+                            "display": "Missing or invalid OAuth 2.0 bearer token in request.",
+                            "system": "https://fhir.nhs.uk/R4/CodeSystem/ValidatedRelationships-ErrorOrWarningCode",
+                            "version": "1"
+                          }
+                        ]
+                      },
+                      "diagnostics": "Invalid access token - Access Denied.",
+                      "severity": "error"
+                    }
+                  ],
+                  "resourceType": "OperationOutcome"
+                }          
+            </Payload>
         </Set>
     </FaultResponse>
     <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
-</RaiseFault>
+</RaiseFault>

proxies/live/apiproxy/targets/target.xml

@@ -2,14 +2,31 @@
   <PreFlow>
     <Request>
       <Step>
-        <Name>OauthV2.VerifyAccessTokenAppLevel3OrCis2Aal3</Name>
+        <Name>VerifyAccessTokenUserNhsLoginP9</Name>
       </Step>
       <Step>
         <Name>FlowCallout.ApplyRateLimiting</Name>
       </Step>
+      <Step>
+        <Name>AddProxyURL</Name>
+      </Step>
+      <Step>
+        <Name>AddUserAuthLevel</Name>
+      </Step>
+      <Step>
+        <Name>AddUserNHSNumber</Name>
+      </Step>
     </Request>
   </PreFlow>
   <FaultRules>
+    <FaultRule name="unauthorized">
+        <Step>
+            <Name>RaiseFault.401Unauthorized</Name>
+              <Condition>
+              oauthV2.OauthV2.VerifyAccessToken.failed = true or fault.name = "invalid_access_token" or fault.name = "InvalidAccessToken" or fault.name = "access_token_not_approved" or fault.name = "apiresource_doesnot_exist" or fault.name = "InvalidAPICallAsNo" or fault.name = "ApiProductMatchFound"
+              </Condition>
+        </Step>
+    </FaultRule>
     <FaultRule name="access_token_expired">
       <Step>
         <Name>ExtractVariables.OAuthErrorFaultString</Name>
@@ -20,24 +37,13 @@
       <Condition>oauthV2.OauthV2.VerifyAccessToken.failed</Condition>
     </FaultRule>
   </FaultRules>
-  <!--
-    To point to a named target server as this is how it SHOULD be implemented:
-    For example:
-    <HTTPTargetConnection>
-      <SSLInfo>
-        <Enabled>true</Enabled>
-      </SSLInfo>
+  <HTTPTargetConnection>
       <LoadBalancer>
-        <Server name="validated-relationships-service-api" />
+          <Server name="validated-relationships-service-api"/>
       </LoadBalancer>
-    </HTTPTargetConnection>
-  -->
-  <HTTPTargetConnection>
-    <URL>http://mocktarget.apigee.net</URL>
-    <Properties>
-      <Property name="supports.http10">true</Property>
-      <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
-      <Property name="retain.queryparams">apikey</Property>
-    </Properties>
+      <Properties>
+          <Property name="supports.http10">true</Property>
+          <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
+      </Properties>
   </HTTPTargetConnection>
 </TargetEndpoint>