NRL-1933 add feature test framework for org and app v2 perms

Author: katebobyn-nhs

tests/features/producer/createDocumentReference-failure.feature

@@ -292,6 +292,76 @@ Feature: Producer - createDocumentReference - Failure Scenarios
       }
       """
 
+  # Credentials - type not allowed at application level (v2 permissions)
+  Scenario: Producer lacks permissions to create specified type at the application level
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the application has 'producer' permissions for pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When producer v2 'ANGY1' creates a DocumentReference with values:
+      | property  | value                          |
+      | subject   | 9999999999                     |
+      | status    | current                        |
+      | type      | 887701000000100                |
+      | category  | 734163000                      |
+      | custodian | ANGY1                          |
+      | author    | HAR1                           |
+      | url       | https://example.org/my-doc.pdf |
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/CodeSystem/Spine-ErrorOrWarningCode",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "Your organisation 'ANGY1' does not have permission to access this resource. Contact the onboarding team."
+      }
+      """
+
+  # Credentials - type not allowed at org level (v2 permissions)
+  Scenario: Producer lacks permissions to create specified type at the org level
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'ANGY1' is authorised as a Producer for pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When producer v2 'ANGY1' creates a DocumentReference with values:
+      | property  | value                          |
+      | subject   | 9999999999                     |
+      | status    | current                        |
+      | type      | 887701000000100                |
+      | category  | 734163000                      |
+      | custodian | ANGY1                          |
+      | author    | HAR1                           |
+      | url       | https://example.org/my-doc.pdf |
+    Then the response status code is 403
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+        "severity": "error",
+        "code": "forbidden",
+        "details": {
+          "coding": [
+            {
+              "system": "https://fhir.nhs.uk/CodeSystem/Spine-ErrorOrWarningCode",
+              "code": "ACCESS DENIED",
+              "display": "Access has been denied to process this request"
+            }
+          ]
+        },
+        "diagnostics": "Your organisation 'ANGY1' does not have permission to access this resource. Contact the onboarding team."
+      }
+      """
+
   Scenario: Invalid status
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
     And the organisation 'X26' is authorised to access pointer types:

tests/features/producer/createDocumentReference-success.feature

@@ -47,6 +47,100 @@ Feature: Producer - createDocumentReference - Success Scenarios
       | url             | https://example.org/my-doc.pdf |
       | practiceSetting | 788002001                      |
 
+  Scenario: Successfully create a Document Pointer with org-level permissions (v2 permissions model)
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'ANGY1' is authorised as a Producer for pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When producer v2 'ANGY1' creates a DocumentReference with values:
+      | property        | value                          |
+      | subject         | 9278693472                     |
+      | status          | current                        |
+      | type            | 736253002                      |
+      | category        | 734163000                      |
+      | custodian       | ANGY1                          |
+      | author          | HAR1                           |
+      | url             | https://example.org/my-doc.pdf |
+      | practiceSetting | 788002001                      |
+    Then the response status code is 201
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+      "severity": "information",
+      "code": "informational",
+      "details": {
+      "coding": [
+      {
+      "system": "https://fhir.nhs.uk/ValueSet/NRL-ResponseCode",
+      "code": "RESOURCE_CREATED",
+      "display": "Resource created"
+      }
+      ]
+      },
+      "diagnostics": "The document has been created"
+      }
+      """
+    And the response has a Location header
+    And the Location header starts with '/DocumentReference/ANGY1-'
+    And the resource in the Location header exists with values:
+      | property        | value                          |
+      | subject         | 9278693472                     |
+      | status          | current                        |
+      | type            | 736253002                      |
+      | category        | 734163000                      |
+      | custodian       | ANGY1                          |
+      | author          | HAR1                           |
+      | url             | https://example.org/my-doc.pdf |
+      | practiceSetting | 788002001                      |
+
+  Scenario: Successfully create a Document Pointer with app-level permissions (v2 permissions model)
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the application has 'producer' permissions for pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    When producer v2 'ANGY1' creates a DocumentReference with values:
+      | property        | value                          |
+      | subject         | 9278693472                     |
+      | status          | current                        |
+      | type            | 736253002                      |
+      | category        | 734163000                      |
+      | custodian       | ANGY1                          |
+      | author          | HAR1                           |
+      | url             | https://example.org/my-doc.pdf |
+      | practiceSetting | 788002001                      |
+    Then the response status code is 201
+    And the response is an OperationOutcome with 1 issue
+    And the OperationOutcome contains the issue:
+      """
+      {
+      "severity": "information",
+      "code": "informational",
+      "details": {
+      "coding": [
+      {
+      "system": "https://fhir.nhs.uk/ValueSet/NRL-ResponseCode",
+      "code": "RESOURCE_CREATED",
+      "display": "Resource created"
+      }
+      ]
+      },
+      "diagnostics": "The document has been created"
+      }
+      """
+    And the response has a Location header
+    And the Location header starts with '/DocumentReference/ANGY1-'
+    And the resource in the Location header exists with values:
+      | property        | value                          |
+      | subject         | 9278693472                     |
+      | status          | current                        |
+      | type            | 736253002                      |
+      | category        | 734163000                      |
+      | custodian       | ANGY1                          |
+      | author          | HAR1                           |
+      | url             | https://example.org/my-doc.pdf |
+      | practiceSetting | 788002001                      |
+
   # # NRL-766 Resolve custodian suffix issues
   # Scenario: Successfully create a Document Pointer (care plan) with custodian suffix
   # Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API

tests/features/steps/1_setup.py

@@ -25,6 +25,24 @@ def add_pointer_types(self, ods_code: str, context: Context):
         s3_client.put_object(Bucket=bucket, Key=key, Body=json.dumps(pointer_types))
         context.add_cleanup(lambda: s3_client.delete_object(Bucket=bucket, Key=key))
 
+    def add_v2_permissions(
+        self, api_side: str, context: Context, ods_code: Optional[str] = None
+    ):
+        if not context.table:
+            raise ValueError("No permissions table provided")
+
+        pointer_types = [f"{system}|{value}" for system, value in context.table]
+        perms_body = {"types": pointer_types}
+        bucket = f"nhsd-nrlf--{context.stack_name}-authorization-store"
+        if ods_code:  # org-level permissions
+            key = f"{api_side}/{self.app_id}/{ods_code}.json"
+        else:  # app-level permissions
+            key = f"{api_side}/{self.app_id}.json"
+
+        s3_client = get_s3_client()
+        s3_client.put_object(Bucket=bucket, Key=key, Body=json.dumps(pointer_types))
+        context.add_cleanup(lambda: s3_client.delete_object(Bucket=bucket, Key=key))
+
 
 @given("the application '{app_name}' (ID '{app_id}') is registered to access the API")
 def register_application_step(context: Context, app_name: str, app_id: str):
@@ -39,6 +57,31 @@ def register_org_permissions_step(context: Context, ods_code: str):
     context.application.add_pointer_types(ods_code, context)
 
 
+@given("the organisation '{ods_code}' is authorised as a Producer for pointer types")
+def register_v2_producer_org_permissions_step(context: Context, ods_code: str):
+    if not context.table:
+        raise ValueError("No permissions table provided")
+
+    context.application.add_v2_permissions("producer", context, ods_code)
+
+
+@given("the organisation '{ods_code}' is authorised as a Consumer for pointer types")
+def register_v2_consumer_org_permissions_step(context: Context, ods_code: str):
+    if not context.table:
+        raise ValueError("No permissions table provided")
+
+    context.application.add_v2_permissions("consumer", context, ods_code)
+
+
+@given("the application has '{use_type}' permissions for pointer types")
+def register_app_level_permissions_step(context: Context, use_type: str):
+    if not context.table:
+        raise ValueError("No permissions table provided")
+    if use_type not in {"producer", "consumer"}:
+        raise ValueError("Producer or Consumer side must be specified")
+    context.application.add_v2_permissions(use_type, context)
+
+
 @given("a DocumentReference resource exists with values")
 def create_document_reference_step(context: Context):
     if not context.table:

tests/features/steps/2_request.py

@@ -76,9 +76,11 @@ def consumer_read_document_reference_step(
     context.response = client.read(doc_ref_id)
 
 
-@when("producer '{ods_code}' creates a DocumentReference with values")
-def create_post_document_reference_step(context: Context, ods_code: str):
-    client = producer_client_from_context(context, ods_code)
+@when(
+    "producer {version} '{ods_code}' using v2 permissioning creates a DocumentReference with values"
+)
+def create_post_document_reference_step(context: Context, version: str, ods_code: str):
+    client = producer_client_from_context(context, ods_code, v2=(version == "v2"))
 
     if not context.table:
         raise ValueError("No document reference data table provided")

tests/utilities/api_clients.py

@@ -68,7 +68,7 @@ def wrapper(*args: Any, **kwargs: Any) -> Any:
 
 class ConsumerTestClient:
 
-    def __init__(self, config: ClientConfig):
+    def __init__(self, config: ClientConfig, use_v2: bool = False):
         self.config = config
         self.api_url = f"{self.config.base_url}consumer{self.config.api_path}"
 
@@ -78,17 +78,26 @@ def __init__(self, config: ClientConfig):
         }
 
         if self.config.client_cert:
-            connection_metadata = self.config.connection_metadata.model_dump(
-                by_alias=True
-            )
-            client_rp_details = connection_metadata.pop("client_rp_details")
-            self.request_headers.update(
-                {
-                    "NHSD-Connection-Metadata": json.dumps(connection_metadata),
-                    "NHSD-Client-RP-Details": json.dumps(client_rp_details),
-                    "NHSD-Correlation-Id": "test-correlation-id",
-                }
-            )
+            if use_v2:
+                self.request_headers.update(
+                    {
+                        "NHSD-End-User-Organisation-ODS": self.config.connection_metadata.ods_code,
+                        "NHSD-NRL-App-Id": self.config.connection_metadata.nrl_app_id,
+                        "NHSD-Correlation-Id": "test-correlation-id",
+                    }
+                )
+            else:
+                connection_metadata = self.config.connection_metadata.model_dump(
+                    by_alias=True
+                )
+                client_rp_details = connection_metadata.pop("client_rp_details")
+                self.request_headers.update(
+                    {
+                        "NHSD-Connection-Metadata": json.dumps(connection_metadata),
+                        "NHSD-Client-RP-Details": json.dumps(client_rp_details),
+                        "NHSD-Correlation-Id": "test-correlation-id",
+                    }
+                )
 
         self.request_headers.update(self.config.custom_headers)
 
@@ -210,7 +219,7 @@ def read_capability_statement(self) -> Response:
 
 
 class ProducerTestClient:
-    def __init__(self, config: ClientConfig):
+    def __init__(self, config: ClientConfig, use_v2: bool = False):
         self.config = config
         self.api_url = f"{self.config.base_url}producer{self.config.api_path}"
 
@@ -220,17 +229,26 @@ def __init__(self, config: ClientConfig):
         }
 
         if self.config.client_cert:
-            connection_metadata = self.config.connection_metadata.model_dump(
-                by_alias=True
-            )
-            client_rp_details = connection_metadata.pop("client_rp_details")
-            self.request_headers.update(
-                {
-                    "NHSD-Connection-Metadata": json.dumps(connection_metadata),
-                    "NHSD-Client-RP-Details": json.dumps(client_rp_details),
-                    "NHSD-Correlation-Id": "test-correlation-id",
-                }
-            )
+            if use_v2:
+                self.request_headers.update(
+                    {
+                        "NHSD-End-User-Organisation-ODS": self.config.connection_metadata.ods_code,
+                        "NHSD-NRL-App-Id": self.config.connection_metadata.nrl_app_id,
+                        "NHSD-Correlation-Id": "test-correlation-id",
+                    }
+                )
+            else:
+                connection_metadata = self.config.connection_metadata.model_dump(
+                    by_alias=True
+                )
+                client_rp_details = connection_metadata.pop("client_rp_details")
+                self.request_headers.update(
+                    {
+                        "NHSD-Connection-Metadata": json.dumps(connection_metadata),
+                        "NHSD-Client-RP-Details": json.dumps(client_rp_details),
+                        "NHSD-Correlation-Id": "test-correlation-id",
+                    }
+                )
 
         self.request_headers.update(self.config.custom_headers)