New: [AEA-3344] - delegated access

.env.example

@@ -0,0 +1,6 @@
+# API Configuration
+API_KEY=your_api_key_here
+KID=your_kid_here
+
+# Environment (defaults to internal-dev if not set)
+APIM_ENV=internal-dev

.gitignore

@@ -16,7 +16,7 @@ __pycache__/
 .venv/
 
 smoketest-report.xml
-env
+.env*
 .dir-locals.el
 *.pyc
 test-report.xml

.tool-versions

@@ -1,5 +1,5 @@
-nodejs 16.14.2
-python 3.8.15
-poetry 2.1.1
-shellcheck 0.9.0
-actionlint 1.6.26
+nodejs 20.19.5
+python 3.12.3
+poetry 2.2.1
+shellcheck 0.11.0
+actionlint 1.7.8

proxies/live/apiproxy/policies/AssignMessage.AddDelegationHeaders.xml

@@ -0,0 +1,11 @@
+<AssignMessage name="AssignMessage.AddDelegationHeaders">
+  <Add>
+    <Headers>
+      <Header name="X-NHSD-Delegated-Access">{nhsd.delegation.enabled}</Header>
+      <Header name="X-NHSD-Subject-NHS-Number">{nhsd.subject.nhs_number}</Header>
+      <!-- TODO: not required as already in NHSD-NHSLogin-User? -->
+      <Header name="X-NHSD-Actor-NHS-Number">{nhsd.actor.nhs_number}</Header>
+      <Header name="X-NHSD-Delegation-Context">{nhsd.delegation.context_b64}</Header>
+    </Headers>
+  </Add>
+</AssignMessage>

proxies/live/apiproxy/policies/AssignMessage.EnableDelegatedAccess.xml

@@ -0,0 +1,8 @@
+<AssignMessage name="AssignMessage.EnableDelegatedAccess">
+  <Set>
+    <Properties>
+      <Property name="delegatedaccess.enabled">true</Property>
+    </Properties>
+  </Set>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</AssignMessage>

proxies/live/apiproxy/policies/javascript.DelegationGate.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="javascript.DelegationGate">
+    <DisplayName>javascript.DelegationGate</DisplayName>
+    <Properties/>
+    <ResourceURL>jsc://DelegationGate.js</ResourceURL>
+</Javascript>

proxies/live/apiproxy/policies/javascript.DelegationSetHeaders.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="javascript.DelegationSetHeaders">
+    <DisplayName>javascript.DelegationSetHeaders</DisplayName>
+    <Properties/>
+    <ResourceURL>jsc://DelegationSetHeaders.js</ResourceURL>
+</Javascript>

proxies/live/apiproxy/resources/jsc/DelegationGate.js

@@ -0,0 +1,23 @@
+// JS policy: DelegationGate.js
+var productOpt = context.getVariable('api.product.attribute.nhsd.delegated_access'); // from GetOAuthV2Info
+var proxyOpt   = context.getVariable('delegatedaccess.enabled') || 'false';
+
+var effectiveOptIn = (String(productOpt).toLowerCase() === 'true') && (String(proxyOpt).toLowerCase() === 'true');
+context.setVariable('nhsd.delegation.enabled', effectiveOptIn);
+
+var topClaims = context.getVariable('jwt.claims'); // JSON string if VerifyJWT set <OutputClaimVariables/>
+var claims = topClaims ? JSON.parse(topClaims) : {};
+var hasAct = !!claims.act;
+
+context.setVariable('nhsd.delegation.has_act', hasAct);
+if (hasAct && !effectiveOptIn) {
+  // Signal fault path
+  context.setVariable('nhsd.delegation.reject_reason', 'delegated_access_not_enabled');
+  context.setVariable('trigger.raisefault', true);
+} else if (hasAct && effectiveOptIn) {
+  // Place nested actor token into a variable for VerifyJWT-Actor
+  // The structure indicates the actor's ID token is in act.sub
+  context.setVariable('jwt.actor.token', claims.act && claims.act.sub);
+  // Subject NHS number (patient)
+  if (claims.sub) context.setVariable('nhsd.subject.nhs_number', claims.sub);
+}

proxies/live/apiproxy/resources/jsc/DelegationSetHeaders.js

@@ -0,0 +1,16 @@
+// JS policy: DelegationSetHeaders.js
+var actorSub = context.getVariable('jwt.claim.sub'); // from VJWT-Actor (overwrites claim vars)
+var subjectNhs = context.getVariable('nhsd.subject.nhs_number');
+if (actorSub) context.setVariable('nhsd.actor.nhs_number', actorSub);
+
+// Build compact context header
+var ctx = {
+  delegated_access: true,
+  subject: { nhs_number: subjectNhs },
+  actor:   { nhs_number: actorSub }
+};
+// var ctxJson = JSON.stringify(ctx);
+// var ctxB64 = org.apache.commons.codec.binary.Base64.encodeBase64URLSafeString(
+//   new java.lang.String(ctxJson).getBytes("UTF-8")
+// );
+// context.setVariable('nhsd.delegation.context_b64', ctxB64);

proxies/live/apiproxy/targets/target.xml

@@ -18,6 +18,18 @@
         <Step>
           <Name>AssignMessage.AddPatientAccessHeader</Name>
         </Step>
+        <Step>
+          <Name>AssignMessage.EnableDelegatedAccess</Name>
+        </Step>
+        <Step>
+          <Name>javascript.DelegationGate</Name>
+        </Step>
+        <Step>
+          <Name>javascript.DelegationSetHeaders</Name>
+        </Step>
+        <Step>
+          <Name>AssignMessage.AddDelegationHeaders</Name>
+        </Step>
         {% if ALLOW_NHS_NUMBER_OVERRIDE %}
         <Step>
           <Name>AssignMessage.OverridePatientAccessHeader</Name>
@@ -71,12 +83,11 @@
   </FaultRules>
   <!-- Replace HTTPTargetConnection with this for testing to AWS pull requesst
 
-  <HTTPTargetConnection>
-    <URL>https://pr-[aws_pull_request_id].dev.prescriptionsforpatients.national.nhs.uk</URL>
-  </HTTPTargetConnection>
-
   DO NOT MERGE WITH A CUSTOM HTTPTargetConnection
    -->
+  <HTTPTargetConnection>
+    <URL>https://pfp-pr-2147.dev.eps.national.nhs.uk</URL>
+  </HTTPTargetConnection>
   <HTTPTargetConnection>
     <SSLInfo>
       <Enabled>true</Enabled>

pyproject.toml

@@ -1,24 +1,22 @@
 [project]
-python = ">=3.8,<3.9.0 || >3.9.1,<4.0"
 name = "prescriptions-for-patients"
+version = "0.0.1-alpha"
+description = "Prescriptions for Patients API"
+requires-python = ">=3.12, <4.0"
+readme = 'README.md'
+license = "MIT"
 
 [tool.poetry]
-name = "prescriptions-for-patients"
-version = "0.0.1-alpha"
 package-mode = false 
-description = "TODO"
 authors = [
     "eps team"
 ]
-readme = 'README.md'
-license = "MIT"
 repository = "https://github.com/NHSDigital/prescriptions-for-patients"
 homepage = "https://github.com/NHSDigital/prescriptions-for-patients"
 keywords = ["healthcare", "uk", "nhs"] #TODO add additional keywords
 
-
 [tool.poetry.dependencies]
-python = "^3.8"
+python = "^3.12"
 pre-commit = "^3.5.0"
 pytest-nhsd-apim = "^5.0.6"