[PRMP-1439] Fix doc ref GET for deceased patient

lambdas/handlers/authoriser_handler.py

@@ -42,7 +42,8 @@ def lambda_handler(event, context):
     if event.get("methodArn") is None:
         return {"Error": "methodArn is not defined"}
     _, _, _, region, aws_account_id, api_gateway_arn = event.get("methodArn").split(
-        ":", 5
+        ":",
+        5,
     )
     api_id, stage, _http_verb, _resource_name = api_gateway_arn.split("/", 3)
     path = "/" + _resource_name
@@ -57,7 +58,11 @@ def lambda_handler(event, context):
         patient_id = event.get("queryStringParameters", {}).get("patientId", None)
         logger.info("Validating resource req: %s, http: %s" % (path, _http_verb))
         is_allow_policy = authoriser_service.auth_request(
-            path, ssm_jwt_public_key_parameter, auth_token, patient_id
+            path,
+            _http_verb,
+            ssm_jwt_public_key_parameter,
+            auth_token,
+            patient_id,
         )
         if is_allow_policy:
             policy.allow_method(_http_verb, path)

lambdas/services/authoriser_service.py

@@ -2,6 +2,7 @@
 import time
 
 from enums.repository_role import RepositoryRole
+from models.auth_policy import HttpVerb
 from models.staging_metadata import NHS_NUMBER_PLACEHOLDER
 from services.manage_user_session_access import ManageUserSessionAccess
 from services.token_service import TokenService
@@ -23,7 +24,12 @@ def __init__(self):
         self.manage_user_session_service = ManageUserSessionAccess()
 
     def auth_request(
-        self, path, ssm_jwt_public_key_parameter, auth_token, nhs_number: str = None
+        self,
+        path,
+        http_verb,
+        ssm_jwt_public_key_parameter,
+        auth_token,
+        nhs_number: str = None,
     ):
         try:
             decoded_token = token_service.get_public_key_and_decode_auth_token(
@@ -39,7 +45,7 @@ def auth_request(
             user_role = decoded_token.get("repository_role")
 
             current_session = self.manage_user_session_service.find_login_session(
-                ndr_session_id
+                ndr_session_id,
             )
             self.allowed_nhs_numbers = (
                 current_session.get("AllowedNHSNumbers", "").split(",")
@@ -54,7 +60,12 @@ def auth_request(
 
             self.validate_login_session(float(current_session["TimeToExist"]))
 
-            resource_denied = self.deny_access_policy(path, user_role, nhs_number)
+            resource_denied = self.deny_access_policy(
+                path,
+                http_verb,
+                user_role,
+                nhs_number,
+            )
 
             allow_policy = False
 
@@ -67,7 +78,7 @@ def auth_request(
         except (KeyError, IndexError) as e:
             raise AuthorisationException(e)
 
-    def deny_access_policy(self, path, user_role, nhs_number: str = None):
+    def deny_access_policy(self, path, http_verb, user_role, nhs_number: str = None):
         logger.info(f"Path: {path}")
 
         patient_access_is_allowed = (
@@ -80,7 +91,6 @@ def deny_access_policy(self, path, user_role, nhs_number: str = None):
 
         patient_id_is_placeholder = nhs_number == NHS_NUMBER_PLACEHOLDER
 
-        is_user_gp_admin = user_role == RepositoryRole.GP_ADMIN.value
         is_user_gp_clinical = user_role == RepositoryRole.GP_CLINICAL.value
         is_user_pcse = user_role == RepositoryRole.PCSE.value
 
@@ -100,12 +110,8 @@ def deny_access_policy(self, path, user_role, nhs_number: str = None):
                 deny_resource = not patient_access_is_allowed or is_user_gp_clinical
 
             case doc_ref if re.match(doc_ref_pattern, doc_ref):
-                deny_resource = True
-                if (
-                    is_user_gp_admin or is_user_gp_clinical
-                ) and patient_access_is_allowed:
-                    deny_resource = False
-                if patient_access_is_allowed and access_to_deceased_patient:
+                deny_resource = is_user_pcse or not patient_access_is_allowed
+                if http_verb != HttpVerb.GET and access_to_deceased_patient:
                     deny_resource = True
 
             case "/LloydGeorgeStitch":

lambdas/tests/unit/handlers/test_authoriser_handler.py

@@ -11,7 +11,7 @@
             "Action": "execute-api:Invoke",
             "Effect": "Deny",
             "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/*/*"],
-        }
+        },
     ],
     "Version": "2012-10-17",
 }
@@ -24,12 +24,13 @@ def test_valid_gp_admin_token_return_allow_policy(set_env, context, mocker):
                 "Action": "execute-api:Invoke",
                 "Effect": "Allow",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchDocumentReferences"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=True
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=True,
     )
     auth_token = "valid_gp_admin_token"
     test_event = {
@@ -41,6 +42,7 @@ def test_valid_gp_admin_token_return_allow_policy(set_env, context, mocker):
     response = lambda_handler(event=test_event, context=context)
     mock_auth_service.assert_called_with(
         "/SearchDocumentReferences",
+        "GET",
         SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
         auth_token,
         TEST_NHS_NUMBER,
@@ -55,7 +57,7 @@ def test_valid_pcse_token_return_allow_policy(set_env, mocker, context):
                 "Action": "execute-api:Invoke",
                 "Effect": "Allow",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchPatient"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
@@ -67,13 +69,18 @@ def test_valid_pcse_token_return_allow_policy(set_env, mocker, context):
         "methodArn": f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchPatient",
     }
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=True
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=True,
     )
 
     response = lambda_handler(test_event, context=context)
 
     mock_auth_service.assert_called_with(
-        "/SearchPatient", SSM_PARAM_JWT_TOKEN_PUBLIC_KEY, auth_token, TEST_NHS_NUMBER
+        "/SearchPatient",
+        "GET",
+        SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
+        auth_token,
+        TEST_NHS_NUMBER,
     )
     assert response["policyDocument"] == expected_allow_policy
 
@@ -85,12 +92,13 @@ def test_valid_gp_admin_token_return_deny_policy(set_env, context, mocker):
                 "Action": "execute-api:Invoke",
                 "Effect": "Deny",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchDocumentReferences"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=False
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=False,
     )
     auth_token = "valid_gp_admin_token"
     test_event = {
@@ -103,6 +111,7 @@ def test_valid_gp_admin_token_return_deny_policy(set_env, context, mocker):
 
     mock_auth_service.assert_called_with(
         "/SearchDocumentReferences",
+        "GET",
         SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
         auth_token,
         TEST_NHS_NUMBER,
@@ -117,7 +126,7 @@ def test_valid_pcse_token_return_deny_policy(set_env, mocker, context):
                 "Action": "execute-api:Invoke",
                 "Effect": "Deny",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchPatient"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
@@ -129,13 +138,18 @@ def test_valid_pcse_token_return_deny_policy(set_env, mocker, context):
         "methodArn": f"{MOCK_METHOD_ARN_PREFIX}/GET/SearchPatient",
     }
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=False
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=False,
     )
 
     response = lambda_handler(test_event, context=context)
 
     mock_auth_service.assert_called_with(
-        "/SearchPatient", SSM_PARAM_JWT_TOKEN_PUBLIC_KEY, auth_token, TEST_NHS_NUMBER
+        "/SearchPatient",
+        "GET",
+        SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
+        auth_token,
+        TEST_NHS_NUMBER,
     )
     assert response["policyDocument"] == expected_deny_policy
 
@@ -157,7 +171,11 @@ def test_return_deny_all_policy_pcse_user_when_auth_exception(set_env, mocker, c
 
     assert response["policyDocument"] == DENY_ALL_POLICY
     mock_auth_service.assert_called_with(
-        "/SearchPatient", SSM_PARAM_JWT_TOKEN_PUBLIC_KEY, auth_token, TEST_NHS_NUMBER
+        "/SearchPatient",
+        "GET",
+        SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
+        auth_token,
+        TEST_NHS_NUMBER,
     )
 
 
@@ -191,7 +209,7 @@ def test_deny_dr_for_deceased_patients(set_env, context, mocker, endpoint_path):
                 "Action": "execute-api:Invoke",
                 "Effect": "Deny",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}{endpoint_path}"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
@@ -205,13 +223,15 @@ def test_deny_dr_for_deceased_patients(set_env, context, mocker, endpoint_path):
     }
 
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=False
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=False,
     )
 
     response = lambda_handler(test_event, context=context)
 
     mock_auth_service.assert_called_with(
         "/" + endpoint_path.split("/", 2)[2],
+        endpoint_path.split("/")[1],
         SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
         auth_token,
         TEST_NHS_NUMBER,
@@ -226,7 +246,7 @@ def test_deny_dr_for_non_gp_admins_or_clinicians(set_env, context, mocker):
                 "Action": "execute-api:Invoke",
                 "Effect": "Deny",
                 "Resource": [f"{MOCK_METHOD_ARN_PREFIX}/POST/DocumentReference"],
-            }
+            },
         ],
         "Version": "2012-10-17",
     }
@@ -238,13 +258,15 @@ def test_deny_dr_for_non_gp_admins_or_clinicians(set_env, context, mocker):
         "methodArn": f"{MOCK_METHOD_ARN_PREFIX}/POST/DocumentReference",
     }
     mock_auth_service = mocker.patch(
-        "services.authoriser_service.AuthoriserService.auth_request", return_value=False
+        "services.authoriser_service.AuthoriserService.auth_request",
+        return_value=False,
     )
 
     pcse_response = lambda_handler(test_pcse_event, context=context)
 
     mock_auth_service.assert_called_with(
         "/DocumentReference",
+        "POST",
         SSM_PARAM_JWT_TOKEN_PUBLIC_KEY,
         auth_pcse_token,
         TEST_NHS_NUMBER,