[CDAPI-95]: Updated endpoint validation to require Composition and included initial validation

Author: nhsd-jack-wainwright

bruno/APIM/Get_Auth_Token.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://internal-dev.api.service.nhs.uk/oauth2/token
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/oauth2/token
   body: formUrlEncoded
   auth: none
 }
@@ -16,12 +16,50 @@ body:form-urlencoded {
 }
 
 script:pre-request {
-  const { generateAuthToken } = require("../common/auth-token");
-  generateAuthToken(bru, req, "https://internal-dev.api.service.nhs.uk/oauth2/token", "kid-1");
+  function generateAuthToken(bru, req, audienceUrl, kid) {
+    const jwt = require("jsonwebtoken");
+    const fs = require("node:fs");
+    const crypto = require("node:crypto");
+
+    const secret = bru.getEnvVar("JWT_SECRET");
+    const privateKeyPath = bru.getEnvVar("PRIVATE_KEY_PATH");
+
+    if (!secret) {
+      throw new Error("JWT_SECRET environment variable is missing.");
+    }
+    if (!privateKeyPath) {
+      throw new Error("PRIVATE_KEY_PATH environment variable is missing.");
+    }
+
+    const privateKey = fs.readFileSync(privateKeyPath);
+
+    const payload = {
+      sub: secret,
+      iss: secret,
+      jti: crypto.randomUUID(),
+      aud: audienceUrl,
+      exp: (Date.now() / 1000) + 300
+    };
+
+    const options = {
+      algorithm: 'RS512',
+      header: { kid: kid }
+    };
+
+    const token = jwt.sign(payload, privateKey, options);
+
+    let new_body = req.getBody();
+    new_body.push({ name: "client_assertion", value: token });
+
+    req.setBody(new_body);
+  }
+
+  const environment = bru.getGlobalEnvVar("APIM_ENV")
+  generateAuthToken(bru, req, `https://${environment}.api.service.nhs.uk/oauth2/token`, bru.getEnvVar("KID"));
 }
 
 script:post-response {
-  bru.setEnvVar("auth_token", res.getBody().access_token)
+  bru.setGlobalEnvVar("auth_token", res.getBody().access_token)
 }
 
 settings {

bruno/APIM/Post_Document_Bundle_via_APIM.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-{{PR_NUMBER}}/FHIR/R4/Bundle
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/pathology-laboratory-reporting-pr-{{PR_NUMBER}}/FHIR/R4/Bundle
   body: json
   auth: inherit
 }
@@ -20,14 +20,16 @@ body:json {
     "type": "document",
     "entry": [
       {
-          "fullUrl": "patient",
-          "resource": {
-              "resourceType": "Patient",
-              "identifier": {
-                  "system": "https://fhir.nhs.uk/Id/nhs-number",
-                  "value": "test-nhs-number"
-              }
+        "fullUrl": "composition",
+        "resource": {
+          "resourceType": "Composition",
+          "subject": {
+            "identifier": {
+              "system": "https://fhir.nhs.uk/Id/nhs-number",
+              "value": "test-nhs-number"
+            }
           }
+        }
       }
     ]
   }

bruno/APIM/README.md

@@ -14,24 +14,35 @@ Your feature branch must have an open pull request (draft or ready for review) t
 
 The following environment variables will need to be configured in Bruno:
 
-| Variable           | Description                                          | Example                       |
-| ------------------ | ---------------------------------------------------- | ----------------------------- |
-| `PRIVATE_KEY_PATH` | Path to your private key file on your local machine  | `/home/user/.ssh/api-key.pem` |
-| `JWT_SECRET`       | Active API Key from your Developer Hub application   | `your-api-key-here`           |
-| `PR_NUMBER`        | The pull request number for your preview environment | `123`                         |
+| Variable           | Description                                           | Example                       |
+| ------------------ | ----------------------------------------------------  | ----------------------------- |
+| `PRIVATE_KEY_PATH` | Path to your private key file on your local machine   | `/home/user/.ssh/api-key.pem` |
+| `JWT_SECRET`       | Active API Key from your Developer Hub application    | `your-api-key-here`           |
+| `PR_NUMBER`        | The pull request number for your preview environment  | `123`                         |
+| `APIM_ENV`         | The APIM environment you're testing against           | `internal-dev`                |
+| `KID`              | The Key ID to utilise when generating an access token | `INT-1`                       |
 
-### 3. Developer Hub Application Setup
+### 3. Bruno Global Environment Variables
+
+The following environment variables also need to be configured as global variables in Bruno:
+
+| Variable           | Description                                           | Example                       | Secret |
+| ------------------ | ----------------------------------------------------- | ----------------------------- | ------ |
+| `APIM_ENV`         | The APIM environment you're testing against           | `internal-dev`                |        |
+| `auth_token`       | The auth token to use when accessing APIM             | `your-auth-token-here`        | x      |
+
+### 4. Developer Hub Application Setup
 
 Register an application on the [Internal Developer Hub](https://dos-internal.ptl.api.platform.nhs.uk/Index):
 
 1. Generate a public/private key pair
 2. Upload the public key to your application
 3. Copy the **Active API Key** and set it as the `JWT_SECRET` environment variable in Bruno
 
-### 4. Configure Proxy Endpoint
+### 5. Configure Proxy Endpoint
 
-The POST request URL automatically targets your preview environment proxy using the `PR_NUMBER` environment variable, which you will need to set. The URL follows this format:
+The POST request URL automatically targets your preview environment proxy using the `PR_NUMBER` and `APIM_ENV` environment variables, which you will need to set. The URL follows this format:
 
 ```text
-https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-{{PR_NUMBER}}/FHIR/R4/Bundle
+https://{{APIM_ENV}}.api.service.nhs.uk/pathology-laboratory-reporting-pr-{{PR_NUMBER}}/FHIR/R4/Bundle
 ```

bruno/APIM/environments/APIM.bru

@@ -2,5 +2,5 @@ vars:secret [
   PRIVATE_KEY_PATH,
   JWT_SECRET,
   PR_NUMBER,
-  auth_token
+  KID
 ]

bruno/PDM/Bundle/Post_a_Batch_Bundle_with_gets.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://int.api.service.nhs.uk/patient-data-manager/FHIR/R4/
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/patient-data-manager/FHIR/R4/
   body: json
   auth: inherit
 }

bruno/PDM/Bundle/Post_a_Transaction_Bundle.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://int.api.service.nhs.uk/patient-data-manager/FHIR/R4/
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/patient-data-manager/FHIR/R4/
   body: json
   auth: inherit
 }

bruno/PDM/Bundle/folder.bru

@@ -1,6 +1,6 @@
 meta {
   name: Bundle
-  seq: 6
+  seq: 4
 }
 
 auth {

bruno/PDM/Document/Post_a_Document.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://int.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle
   body: json
   auth: inherit
 }

bruno/PDM/Document/Post_a_Document_Pathology-Bundle-CRP-Report-Document-Example.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: https://int.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle
   body: json
   auth: inherit
 }

bruno/PDM/Document/Retrieve_Document.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 get {
-  url: https://int.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle/6a0c6a4d-9941-35cf-b83d-76fa4b880a85
+  url: https://{{APIM_ENV}}.api.service.nhs.uk/patient-data-manager/FHIR/R4/Bundle/6a0c6a4d-9941-35cf-b83d-76fa4b880a85
   body: none
   auth: inherit
 }