Skip to content

Update: [AEA-4652] - signature validation on prescription creation #4426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bencegadanyi1-nhs merged 43 commits into from
Apr 2, 2026
Merged

Update: [AEA-4652] - signature validation on prescription creation #4426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
8e135d2
feat: implement toggled signature validation
bencegadanyi1-nhs Mar 11, 2026
9e5ac52
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 11, 2026
d7b3689
feat: implement toggled signature validation
bencegadanyi1-nhs Mar 11, 2026
935dca7
feat: implements and tests signature validation
bencegadanyi1-nhs Mar 16, 2026
83b2c11
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 16, 2026
f82a5d9
chore: stack export signature validation feature flag value
bencegadanyi1-nhs Mar 16, 2026
5508536
chore: set regression test pack
bencegadanyi1-nhs Mar 16, 2026
f024acc
test: update pact tests
bencegadanyi1-nhs Mar 18, 2026
e2546cf
chore: trivy ignore fast-xml-parser
bencegadanyi1-nhs Mar 18, 2026
65c9f1b
chore: removes redundant try catch
bencegadanyi1-nhs Mar 18, 2026
4ed880e
chore: changes test description
bencegadanyi1-nhs Mar 18, 2026
1347b85
test: adds missing diagnostic field
bencegadanyi1-nhs Mar 18, 2026
3f5592f
chore: reverts testcases
bencegadanyi1-nhs Mar 18, 2026
d6ca7b2
feat: sign prescriptions with invalid checksum for Spine response
bencegadanyi1-nhs Mar 18, 2026
da1f9a0
feat: sign prescriptions with invalid checksum for Spine response
bencegadanyi1-nhs Mar 18, 2026
0cfbed1
chore: passing pull-request-id to regression tests
bencegadanyi1-nhs Mar 18, 2026
590fe99
test: process route coverage
bencegadanyi1-nhs Mar 18, 2026
204e4a4
chore: remove pull request id for regression tests
bencegadanyi1-nhs Mar 18, 2026
d886f76
chore: word change
bencegadanyi1-nhs Mar 18, 2026
f08a8c6
tirgger build
bencegadanyi1-nhs Mar 19, 2026
34e0b62
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 19, 2026
c74d7e9
refactor: avoids double translation by reusing ParentPrescription
bencegadanyi1-nhs Mar 23, 2026
ea7d52a
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 23, 2026
22051b5
chore: addresses SQ code smells
bencegadanyi1-nhs Mar 23, 2026
cb8a615
chore: enable signature validation in apim
bencegadanyi1-nhs Mar 25, 2026
ca8ca7a
trigger build
bencegadanyi1-nhs Mar 25, 2026
9e441d0
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 26, 2026
6efeaa1
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 27, 2026
658ed82
chore: address regression test and TODO comments
bencegadanyi1-nhs Mar 27, 2026
fa1f88c
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Mar 30, 2026
6dabc25
test: adds pct test backward compatibility
bencegadanyi1-nhs Mar 30, 2026
f0d93ac
chore: add signature validation flag to each env on APIM
bencegadanyi1-nhs Mar 30, 2026
c78565c
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 1, 2026
c706937
trigger build
bencegadanyi1-nhs Apr 1, 2026
3f8fecc
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 1, 2026
cea52f3
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 1, 2026
4c9f818
feat: makes the feature flag conditioned on apim
bencegadanyi1-nhs Apr 1, 2026
8ccc53f
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 1, 2026
33cc962
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 2, 2026
417f56e
trigger build
bencegadanyi1-nhs Apr 2, 2026
a0781ef
chore: addresses commments making validation DRY and removes pointles…
bencegadanyi1-nhs Apr 2, 2026
9c29864
Merge branch 'master' into AEA-4652-add-prescription-order-endpoint-s…
bencegadanyi1-nhs Apr 2, 2026
b610beb
chore: removes 2nd import
bencegadanyi1-nhs Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/scripts/fix_cdk_json.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ fix_string_key defaultPTLPartyKey "${DEFAULT_PTL_PARTY_KEY}"
fix_string_key sandboxModeEnabled "${SANDBOX_MODE_ENABLED}"
fix_boolean_number_key enableMutualTls "${ENABLE_MUTUAL_TLS}"
fix_string_key SHA1EnabledApplicationIds "${SHA1_ENABLED_APPLICATION_IDS}"
fix_boolean_number_key enablePrescribingSignatureValidation "${ENABLE_PRESCRIBING_SIGNATURE_VALIDATION}"
fix_boolean_number_key desiredFhirFacadeCount "${DESIRED_FHIR_FACADE_COUNT}"
fix_boolean_number_key forwardCsocLogs "${FORWARD_CSOC_LOGS}"

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/cdk_release_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ on:
SHA1_ENABLED_APPLICATION_IDS:
type: string
required: true
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION:
type: boolean
required: true
SANDBOX_MODE_ENABLED:
type: string
required: true
Expand Down Expand Up @@ -234,6 +237,7 @@ jobs:
SANDBOX_MODE_ENABLED: "${{ inputs.SANDBOX_MODE_ENABLED }}"
ENABLE_MUTUAL_TLS: "${{ inputs.ENABLE_MUTUAL_TLS }}"
SHA1_ENABLED_APPLICATION_IDS: "${{ inputs.SHA1_ENABLED_APPLICATION_IDS }}"
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: "${{ inputs.ENABLE_PRESCRIBING_SIGNATURE_VALIDATION }}"
DESIRED_FHIR_FACADE_COUNT: "${{ inputs.DESIRED_FHIR_FACADE_COUNT }}"
DESIRED_CLAIMS_COUNT: "${{ inputs.DESIRED_CLAIMS_COUNT }}"
DESIRED_PEAK_CLAIMS_COUNT: "${{ inputs.DESIRED_PEAK_CLAIMS_COUNT }}"
Expand Down Expand Up @@ -373,6 +377,7 @@ jobs:
APIGEE_ENVIRONMENT: ${{ inputs.APIGEE_ENVIRONMENT }}
VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
IS_PULL_REQUEST: ${{ inputs.IS_PULL_REQUEST }}
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: ${{ inputs.ENABLE_PRESCRIBING_SIGNATURE_VALIDATION }}
pinned_image: ${{ inputs.pinned_image }}
secrets:
API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -143,6 +144,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 1
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -195,6 +197,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 4515047f-fdbf-486f-bafe-dfae62482526,d3984d64-c463-4bb1-adec-ba303a8a123b
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 2
DESIRED_CLAIMS_COUNT: 2
Expand Down Expand Up @@ -243,6 +246,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 5ad18b73-df45-4d41-9a1e-764d5a2b8671,8082cea1-1016-4ebf-9d80-5057c8275074
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ jobs:
IS_PULL_REQUEST: true
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -178,6 +179,7 @@ jobs:
IS_PULL_REQUEST: true
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 1
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -144,6 +145,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 1
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -196,6 +198,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 4515047f-fdbf-486f-bafe-dfae62482526,d3984d64-c463-4bb1-adec-ba303a8a123b
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 2
DESIRED_CLAIMS_COUNT: 2
Expand Down Expand Up @@ -244,6 +247,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 5ad18b73-df45-4d41-9a1e-764d5a2b8671,8082cea1-1016-4ebf-9d80-5057c8275074
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -290,6 +294,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 5a5e8a3d-8272-4d59-985e-5b2df5c08176,b09efcba-4fa0-4cb9-8ee0-d49b43a4cc1d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -338,6 +343,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: unused
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 1
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
Expand Down Expand Up @@ -381,6 +387,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: false
SHA1_ENABLED_APPLICATION_IDS: dbc8b146-7cb1-4a72-a4b3-767a118bdc36,875e2505-6ad5-442a-9e6c-69a299561e33,da32c882-52d4-41f7-86c2-959b15673aca
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 2
DESIRED_CLAIMS_COUNT: 2
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release_ref.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ jobs:
IS_PULL_REQUEST: false
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 4515047f-fdbf-486f-bafe-dfae62482526,d3984d64-c463-4bb1-adec-ba303a8a123b
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: true
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 2
DESIRED_CLAIMS_COUNT: 2
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/run_pact_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
IS_PULL_REQUEST:
type: boolean
default: false
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION:
type: boolean
default: false
pinned_image:
type: string
required: true
Expand Down Expand Up @@ -87,6 +90,7 @@ jobs:
SIGNING_PRIVATE_KEY: ${{ secrets.SIGNING_PRIVATE_KEY }}
SIGNING_CERT: ${{ secrets.SIGNING_CERT }}
API_DEPLOYMENT_METHOD: proxygen
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: ${{ inputs.ENABLE_PRESCRIBING_SIGNATURE_VALIDATION }}

- name: Verify pacts
shell: bash
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/run_regression_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,11 @@ jobs:
run: |
if [[ "$TARGET_ENVIRONMENT" != "prod" && "$TARGET_ENVIRONMENT" != "ref" ]]; then
# this should be the tag of the tests you want to run
REGRESSION_TEST_REPO_TAG=v3.9.9
REGRESSION_TEST_REPO_TAG=v3.12.0

# this should be the tag of the regression test workflow you want to run
# This will normally be the same as REGRESSION_TEST_REPO_TAG
REGRESSION_TEST_WORKFLOW_TAG=v3.9.9
REGRESSION_TEST_WORKFLOW_TAG=v3.12.0

Comment thread
bencegadanyi1-nhs marked this conversation as resolved.
# If the workflow tag doesn't start with `v`, it's a PR and we need to use the path heads, instead of refs
# e.g. refs/heads/aea-0000-test-pr/scripts/run_regression_tests.py
Expand Down
2 changes: 1 addition & 1 deletion .trivyignore.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ vulnerabilities:
- id: CVE-2026-2229
statement: Transitive dependency vulnerability in undici of npm
expired_at: 2026-06-01
- id: CVE-2026-33036
- id: CVE-2026-33036
statement: fast-xml-parser vulnerability accepted as risk
expired_at: 2026-06-01
- id: CVE-2026-33180
Expand Down
8 changes: 8 additions & 0 deletions azure/templates/run_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,19 +114,24 @@ steps:
if [[ "$APIGEE_ENVIRONMENT" == *"internal-dev"* ]]; then
API_CLIENT_ID=$(INTERNAL_DEV_CLIENT_ID)
API_CLIENT_SECRET=$(INTERNAL_DEV_CLIENT_SECRET)
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=false
elif [[ "$APIGEE_ENVIRONMENT" == *"internal-qa"* ]]; then
API_CLIENT_ID=$(INTERNAL_QA_CLIENT_ID)
API_CLIENT_SECRET=$(INTERNAL_QA_CLIENT_SECRET)
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=true
elif [[ "$APIGEE_ENVIRONMENT" == *"int"* ]]; then
API_CLIENT_ID=$(INT_CLIENT_ID)
API_CLIENT_SECRET=$(INT_CLIENT_SECRET)
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=true
elif [[ "$APIGEE_ENVIRONMENT" == *"ref"* ]]; then
API_CLIENT_ID=$(REF_CLIENT_ID)
API_CLIENT_SECRET=$(REF_CLIENT_SECRET)
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=true
fi

export API_CLIENT_ID
export API_CLIENT_SECRET
export ENABLE_PRESCRIBING_SIGNATURE_VALIDATION

export APIGEE_ACCESS_TOKEN=dummy_token
echo "##vso[task.setvariable variable=SIGNING_PRIVATE_KEY_PATH]$SIGNING_PRIVATE_KEY_PATH"
Expand All @@ -141,6 +146,7 @@ steps:
echo "##vso[task.setvariable variable=API_MODE]$API_MODE"
echo "##vso[task.setvariable variable=CREATE_PACT_MAKEFILE_TARGET]$CREATE_PACT_MAKEFILE_TARGET"
echo "##vso[task.setvariable variable=API_DEPLOYMENT_METHOD]$API_DEPLOYMENT_METHOD"
echo "##vso[task.setvariable variable=ENABLE_PRESCRIBING_SIGNATURE_VALIDATION]${ENABLE_PRESCRIBING_SIGNATURE_VALIDATION:-false}"
displayName: Set PACT variables and install node dependencies
name: setPactVariables
condition: and(succeeded(), eq(variables['run_smoke_tests'], 'true'))
Expand All @@ -166,6 +172,7 @@ steps:
export API_MODE=$(API_MODE)
export CREATE_PACT_MAKEFILE_TARGET=$(CREATE_PACT_MAKEFILE_TARGET)
export API_DEPLOYMENT_METHOD=$(API_DEPLOYMENT_METHOD)
export ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=$(ENABLE_PRESCRIBING_SIGNATURE_VALIDATION)

echo "SERVICE_ARTIFACT_NAME: ${SERVICE_ARTIFACT_NAME}"
echo "SERVICE_BASE_PATH: ${SERVICE_BASE_PATH}"
Expand Down Expand Up @@ -209,6 +216,7 @@ steps:
export API_MODE=$(API_MODE)
export CREATE_PACT_MAKEFILE_TARGET=$(CREATE_PACT_MAKEFILE_TARGET)
export API_DEPLOYMENT_METHOD=$(API_DEPLOYMENT_METHOD)
export ENABLE_PRESCRIBING_SIGNATURE_VALIDATION=$(ENABLE_PRESCRIBING_SIGNATURE_VALIDATION)

make ${CREATE_PACT_MAKEFILE_TARGET}
displayName: Create PACT tests
Expand Down
1 change: 1 addition & 0 deletions cdk.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@
"enableMutualTls": false,
"trustStoreVersion": "foo",
"SHA1EnabledApplicationIds": "",
"enablePrescribingSignatureValidation": false,
"sandboxModeEnabled": "0",
"desiredFhirFacadeCount": 1,
"desiredClaimsCount": 1,
Expand Down
4 changes: 3 additions & 1 deletion packages/cdk/resources/ECSTasks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ export interface ECSTasksProps {
readonly coordinatorLogGroup: ILogGroup
readonly validatorLogGroup: ILogGroup
readonly SHA1EnabledApplicationIds: string
readonly enablePrescribingSignatureValidation: boolean
readonly sandboxModeEnabled: string
readonly cpu: number
readonly memory: number
Expand Down Expand Up @@ -141,7 +142,7 @@ export class ECSTasks extends Construct {
],
environment: {
VALIDATOR_HOST: `${props.containerNamePrefix}-validator`,
TARGET_SPINE_SERVER: props.targetSpineServer,
TARGET_SPINE_SERVER: props.targetSpineServer,
MTLS_SPINE_CLIENT: "true",
PRESCRIBE_ENABLED: "true",
DISPENSE_ENABLED: "true",
Expand All @@ -160,6 +161,7 @@ export class ECSTasks extends Construct {
DEFAULT_PTL_ASID: props.defaultPTLAsid,
DEFAULT_PTL_PARTY_KEY: props.defaultPTLPartyKey,
SANDBOX: props.sandboxModeEnabled,
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: String(props.enablePrescribingSignatureValidation),
POLLING_DELAY: props.pollingDelay.toString()
},
secrets: {
Expand Down
21 changes: 16 additions & 5 deletions packages/cdk/stacks/PrescribeDispenseStack.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import {
App,
CfnOutput,
Duration,
Environment,
Fn,
Expand Down Expand Up @@ -39,11 +40,11 @@ import {
import {LogGroup} from "aws-cdk-lib/aws-logs"

export interface PrescribeDispenseStackProps extends StackProps {
readonly env: Environment
readonly serviceName: string
readonly stackName: string
readonly version: string
}
readonly env: Environment
readonly serviceName: string
readonly stackName: string
readonly version: string
}

export class PrescribeDispenseStack extends Stack {

Expand Down Expand Up @@ -71,6 +72,8 @@ export class PrescribeDispenseStack extends Stack {
const trustStoreVersion: string = this.node.tryGetContext("trustStoreVersion")
const SHA1EnabledApplicationIds: string = this.node.tryGetContext("SHA1EnabledApplicationIds")
const sandboxModeEnabled: string = this.node.tryGetContext("sandboxModeEnabled")
const enablePrescribingSignatureValidation: boolean = this.node
.tryGetContext("enablePrescribingSignatureValidation")
const desiredFhirFacadeCount: number = this.node.tryGetContext("desiredFhirFacadeCount")
const desiredClaimsCount: number = this.node.tryGetContext("desiredClaimsCount")
const desiredPeakClaimsCount: number = this.node.tryGetContext("desiredPeakClaimsCount")
Expand Down Expand Up @@ -164,6 +167,7 @@ export class PrescribeDispenseStack extends Stack {
coordinatorLogGroup: logGroups.coordinatorLogGroup,
validatorLogGroup: logGroups.validatorLogGroup,
SHA1EnabledApplicationIds: SHA1EnabledApplicationIds,
enablePrescribingSignatureValidation: enablePrescribingSignatureValidation,
sandboxModeEnabled: sandboxModeEnabled,
cpu: serviceCpu,
memory: serviceMemory,
Expand Down Expand Up @@ -197,6 +201,7 @@ export class PrescribeDispenseStack extends Stack {
coordinatorLogGroup: logGroups.claimsCoordinatorLogGroup,
validatorLogGroup: logGroups.claimsValidatorLogGroup,
SHA1EnabledApplicationIds: SHA1EnabledApplicationIds,
enablePrescribingSignatureValidation: enablePrescribingSignatureValidation,
sandboxModeEnabled: sandboxModeEnabled,
cpu: serviceCpu,
memory: serviceMemory,
Expand Down Expand Up @@ -394,6 +399,12 @@ export class PrescribeDispenseStack extends Stack {
Port.tcp(containerPort),
"Allow traffic to Claims Service from FHIR Facade load balancer"
)

new CfnOutput(this, "EnablePrescribingSignatureValidation", {
Copy link
Copy Markdown
Contributor

@tstephen-nhs tstephen-nhs Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering why this is output when others aren't? I can't see it being used, sorry if I've missed it.

value: String(enablePrescribingSignatureValidation),
exportName: `${props.stackName}:enablePrescribingSignatureValidation`
})

nagSuppressions(this)
}
}
2 changes: 2 additions & 0 deletions packages/coordinator/ecs-proxies-deploy-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ docker_service:
value: "egress.prod.api.platform.nhs.uk:700"
- name: SHA1_ENABLED_APPLICATION_IDS
value: "dbc8b146-7cb1-4a72-a4b3-767a118bdc36,875e2505-6ad5-442a-9e6c-69a299561e33,da32c882-52d4-41f7-86c2-959b15673aca"
- name: ENABLE_PRESCRIBING_SIGNATURE_VALIDATION
value: "false"
secrets:
- name: SPINE_URL
valueFrom: "/{{ account }}/platform-common/egress/hosts/spine-prescriptions-prod"
Expand Down
2 changes: 2 additions & 0 deletions packages/coordinator/ecs-proxies-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ docker_service:
# 5a5e8a3d-8272-4d59-985e-5b2df5c08176 = int-eps-fhir-facade-sha1
# 4515047f-fdbf-486f-bafe-dfae62482526 = ref-eps-fhir-facade-sha1
value: "486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,5ad18b73-df45-4d41-9a1e-764d5a2b8671,5a5e8a3d-8272-4d59-985e-5b2df5c08176,4515047f-fdbf-486f-bafe-dfae62482526"
- name: ENABLE_PRESCRIBING_SIGNATURE_VALIDATION
value: "{{ 'false' if APIGEE_ENVIRONMENT in ('internal-dev', 'internal-dev-sandbox') else 'true' }}"
secrets:
- name: SPINE_URL
valueFrom: "/{{ account }}/platform-common/egress/hosts/spine-prescriptions-{{ SPINE_ENV }}"
Expand Down
28 changes: 26 additions & 2 deletions packages/coordinator/src/routes/process.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import {
handleResponse
} from "./util"
import {createHash} from "./create-hash"
import {fhir} from "@models"
import {fhir, spine} from "@models"
import * as bundleValidator from "../services/validation/bundle-validator"
import {
getAsid,
Expand All @@ -19,6 +19,9 @@ import {
} from "../utils/headers"
import {getStatusCode} from "../utils/status-code"
import {HashingAlgorithm} from "../services/translation/common/hashingAlgorithm"
import {isSignatureValidationEnabled} from "../utils/feature-flags"
import {identifyMessageType} from "../services/translation/common"
import {verifyAndFormatPrescriptionSignature} from "../services/verification/signature-verification"

export default [
/*
Expand Down Expand Up @@ -49,7 +52,28 @@ export default [
}

request.logger.info("Building Spine request")
const spineRequest = await translator.convertBundleToSpineRequest(bundle, request.headers, request.logger)

let spineRequest: spine.SpineRequest
if (identifyMessageType(bundle) === fhir.EventCodingCode.PRESCRIPTION) {
const result = await translator.convertPrescriptionBundleToSpineRequest(
bundle, request.headers, request.logger
)

if (isSignatureValidationEnabled()) {
const signatureIssues = await verifyAndFormatPrescriptionSignature(
result.parentPrescription, request.logger, "creation"
)
if (signatureIssues.length) {
const response = fhir.createOperationOutcome(signatureIssues, bundle.meta?.lastUpdated)
return responseToolkit.response(response).code(400).type(ContentTypes.FHIR)
}
}

spineRequest = result.spineRequest
} else {
spineRequest = await translator.convertBundleToSpineRequest(bundle, request.headers, request.logger)
}

const spineResponse = await spineClient.send(spineRequest, getAsid(request.headers), request.logger)
return await handleResponse(request, spineResponse, responseToolkit)
})
Expand Down
Loading
Loading