From 01ebca068e3abaafee26391147262320fa3456f1 Mon Sep 17 00:00:00 2001 From: David Hamill Date: Thu, 6 Mar 2025 09:20:59 +0000 Subject: [PATCH 1/3] Create a privileged app-restricted acccess mode. The new access mode will enable apps to gain privileged access to demographic data, so that we can return the sensitive data fields they require to fulfil their business/healthcare role. --- manifest_template.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifest_template.yml b/manifest_template.yml index 4b3e02ce4..df9954598 100644 --- a/manifest_template.yml +++ b/manifest_template.yml @@ -134,6 +134,12 @@ ACCESS_MODES: scopes: ['urn:nhsd:apim:app:level3:personal-demographics-service'] requireCallbackUrl: false description: Application Restricted + - name: privileged-application-restricted + nameSuffix: -privileged-application-restricted + displayName: Privileged-Application-Restricted + scopes: ['urn:nhsd:apim:app:level3-privileged:personal-demographics-service'] + requireCallbackUrl: false + description: Privileged Application Restricted - name: patient-access nameSuffix: -patient-access displayName: Patient-Access From c537274828183a0ad79be43864b2d9f3d6d0c7b3 Mon Sep 17 00:00:00 2001 From: David Hamill Date: Thu, 6 Mar 2025 16:17:14 +0000 Subject: [PATCH 2/3] oauth/identity service filters scopes to find available app-restricted scopes by finding all that start with "urn:nhsd:apim:app:level3:". We will need to use a scope that matches this pattern, otherwise it will not make it on to the available scopes list in PDS. --- manifest_template.yml | 2 +- proxies/live/apiproxy/targets/ig3.xml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/manifest_template.yml b/manifest_template.yml index df9954598..8441955bc 100644 --- a/manifest_template.yml +++ b/manifest_template.yml @@ -137,7 +137,7 @@ ACCESS_MODES: - name: privileged-application-restricted nameSuffix: -privileged-application-restricted displayName: Privileged-Application-Restricted - scopes: ['urn:nhsd:apim:app:level3-privileged:personal-demographics-service'] + scopes: ['urn:nhsd:apim:app:level3:privileged-personal-demographics-service'] requireCallbackUrl: false description: Privileged Application Restricted - name: patient-access diff --git a/proxies/live/apiproxy/targets/ig3.xml b/proxies/live/apiproxy/targets/ig3.xml index 125129e7f..bcdd5109c 100644 --- a/proxies/live/apiproxy/targets/ig3.xml +++ b/proxies/live/apiproxy/targets/ig3.xml @@ -20,6 +20,10 @@ AssignMessage.SetAccessModeApplicationRestricted + + AssignMessage.SetAccessModePrivilegedApplicationRestricted + (scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|.+\ personal-demographics-service:USER-RESTRICTED\ .+|^personal-demographics-service:USER-RESTRICTED\ .+|.+\ personal-demographics-service:USER-RESTRICTED$|^personal-demographics-service:USER-RESTRICTED$)") or ((scope JavaRegex "(.+\ urn:nhsd:apim:app:level3:personal-demographics-service\ .+|^urn:nhsd:apim:app:level3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:app:level3:personal-demographics-service$|^urn:nhsd:apim:app:level3:personal-demographics-service$)" and apim-app-flow-vars.pds.app-restricted.update Is "true") + AssignMessage.SetAccessModeUserRestricted (scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|.+\ personal-demographics-service:USER-RESTRICTED\ .+|^personal-demographics-service:USER-RESTRICTED\ .+|.+\ personal-demographics-service:USER-RESTRICTED$|^personal-demographics-service:USER-RESTRICTED$)") or ((scope JavaRegex "(.+\ urn:nhsd:apim:app:level3:personal-demographics-service\ .+|^urn:nhsd:apim:app:level3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:app:level3:personal-demographics-service$|^urn:nhsd:apim:app:level3:personal-demographics-service$)" and apim-app-flow-vars.pds.app-restricted.update Is "true") From f9545a70ff6b24c92001ac4fc35b1f3d459e42f3 Mon Sep 17 00:00:00 2001 From: David Hamill Date: Thu, 6 Mar 2025 16:25:13 +0000 Subject: [PATCH 3/3] Undo unintended commit. --- proxies/live/apiproxy/targets/ig3.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/proxies/live/apiproxy/targets/ig3.xml b/proxies/live/apiproxy/targets/ig3.xml index bcdd5109c..125129e7f 100644 --- a/proxies/live/apiproxy/targets/ig3.xml +++ b/proxies/live/apiproxy/targets/ig3.xml @@ -20,10 +20,6 @@ AssignMessage.SetAccessModeApplicationRestricted - - AssignMessage.SetAccessModePrivilegedApplicationRestricted - (scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|.+\ personal-demographics-service:USER-RESTRICTED\ .+|^personal-demographics-service:USER-RESTRICTED\ .+|.+\ personal-demographics-service:USER-RESTRICTED$|^personal-demographics-service:USER-RESTRICTED$)") or ((scope JavaRegex "(.+\ urn:nhsd:apim:app:level3:personal-demographics-service\ .+|^urn:nhsd:apim:app:level3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:app:level3:personal-demographics-service$|^urn:nhsd:apim:app:level3:personal-demographics-service$)" and apim-app-flow-vars.pds.app-restricted.update Is "true") - AssignMessage.SetAccessModeUserRestricted (scope JavaRegex "(.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-id:aal3:personal-demographics-service$|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|^urn:nhsd:apim:user-nhs-cis2:aal3:personal-demographics-service$|.+\ personal-demographics-service:USER-RESTRICTED\ .+|^personal-demographics-service:USER-RESTRICTED\ .+|.+\ personal-demographics-service:USER-RESTRICTED$|^personal-demographics-service:USER-RESTRICTED$)") or ((scope JavaRegex "(.+\ urn:nhsd:apim:app:level3:personal-demographics-service\ .+|^urn:nhsd:apim:app:level3:personal-demographics-service\ .+|.+\ urn:nhsd:apim:app:level3:personal-demographics-service$|^urn:nhsd:apim:app:level3:personal-demographics-service$)" and apim-app-flow-vars.pds.app-restricted.update Is "true")