merge main changes

Author: gbmojo

.gitignore

@@ -86,6 +86,7 @@ __pycache__/
 *.key
 *.csr
 *.pem
+*.enc
 
 # Localstack
 localstack/cache

docs/guides/setting-up-a-new-consumer.md

@@ -124,6 +124,12 @@ tar cvfz hmpps-integration-api-preprod.tar.gz preprod/preprod-client.key preprod
 openssl enc -aes-256-cbc -pbkdf2 -iter 310000 -md sha256 -salt -in hmpps-integration-api-preprod.tar.gz -out hmpps-integration-api-preprod.tar.gz.enc -pass file:./symmetric.key
 ```
 
+### Alternatively
+
+If the client's public key is named `hmpps-integration-api-cred-exchange-public-key.pem`, change directory into the `scripts/client_certificates` directory and run the `zip.sh` command. This should complete the above steps.
+
+### Accessing the credentials
+
 We can now send the **encrypted** symmetric key (`symmetric.key.enc`) and **encrypted** access credentials (`hmpps-integration-api-preprod.tar.gz.enc`) to the client via email. The client may now decrypt the symmetric key using their private key and subsequently the access credentials using the symmetric key
 
 ```Bash

scripts/client_certificates/zip.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+read_certificate_arguments() {
+  echo "Environment: (dev, preprod or prod)"
+  read environment
+  echo "Client identifier (no spaces, lowercase) that will be used for authorisation: e.g. mapps"
+  read client
+}
+
+get_api_key() {
+  api_key=`kubectl -n hmpps-integration-api-$environment get secrets consumer-api-keys -o json | jq -r .data.$client | base64 -d`
+  echo -n $api_key > $environment-$client-api-key
+}
+
+generate_symmetric_key() {
+  # Create a symmetric key
+  head /dev/urandom | sha256sum > symmetric.key
+  # Encrypt with client's public key
+  openssl pkeyutl -encrypt -pubin -inkey hmpps-integration-api-cred-exchange-public-key.pem -in symmetric.key -out symmetric.key.enc
+}
+
+zip_files() {
+  # Create a tarball of the access credentials
+  tar cvfz hmpps-integration-api-$environment.tar.gz $environment-$client-api-key $environment-$client-client.key $environment-$client-client.pem
+  # Encrypt using symmetric key
+  openssl enc -aes-256-cbc -pbkdf2 -iter 310000 -md sha256 -salt -in hmpps-integration-api-$environment.tar.gz -out hmpps-integration-api-$environment.tar.gz.enc -pass file:./symmetric.key
+}
+
+main() {
+  read_certificate_arguments
+  get_api_key
+  generate_symmetric_key
+  zip_files
+}
+
+main

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/common/ConsumerPrisonAccessService.kt

@@ -0,0 +1,21 @@
+package uk.gov.justice.digital.hmpps.hmppsintegrationapi.common
+
+import org.springframework.stereotype.Service
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.hmpps.Response
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.hmpps.UpstreamApi
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.hmpps.UpstreamApiError
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.roleconfig.ConsumerFilters
+
+@Service
+class ConsumerPrisonAccessService {
+  fun <T> checkConsumerHasPrisonAccess(
+    prisonId: String?,
+    filters: ConsumerFilters?,
+  ): Response<T?> {
+    val response = Response<T?>(data = null, errors = emptyList<UpstreamApiError>())
+    if (filters != null && !filters.matchesPrison(prisonId)) {
+      response.errors = listOf(UpstreamApiError(UpstreamApi.NOMIS, UpstreamApiError.Type.ENTITY_NOT_FOUND, "Not found"))
+    }
+    return response
+  }
+}

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/config/HmppsIntegrationApiExceptionHandler.kt

@@ -4,17 +4,20 @@ import io.sentry.Sentry
 import jakarta.validation.ValidationException
 import org.slf4j.LoggerFactory
 import org.springframework.http.HttpStatus
+import org.springframework.http.HttpStatus.BAD_GATEWAY
 import org.springframework.http.HttpStatus.BAD_REQUEST
+import org.springframework.http.HttpStatus.CONFLICT
 import org.springframework.http.HttpStatus.FORBIDDEN
 import org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR
 import org.springframework.http.HttpStatus.NOT_FOUND
 import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.ExceptionHandler
 import org.springframework.web.bind.annotation.RestControllerAdvice
 import org.springframework.web.reactive.function.client.WebClientResponseException
-import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.AuthenticationFailedException
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.ConflictFoundException
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.EntityNotFoundException
-import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.MessageFailedException
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.ForbiddenByUpstreamServiceException
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.HmppsAuthFailedException
 
 @RestControllerAdvice
 class HmppsIntegrationApiExceptionHandler {
@@ -46,15 +49,29 @@ class HmppsIntegrationApiExceptionHandler {
       )
   }
 
-  @ExceptionHandler(AuthenticationFailedException::class)
-  fun handleAuthenticationFailedException(e: AuthenticationFailedException): ResponseEntity<ErrorResponse?>? {
-    logAndCapture("Authentication error: {}", e)
+  @ExceptionHandler(HmppsAuthFailedException::class)
+  fun handleAuthenticationFailedException(e: HmppsAuthFailedException): ResponseEntity<ErrorResponse?>? {
+    logAndCapture("Authentication error in HMPPS Auth: {}", e)
+    return ResponseEntity
+      .status(BAD_GATEWAY)
+      .body(
+        ErrorResponse(
+          status = BAD_GATEWAY,
+          developerMessage = "Authentication error: ${e.message}",
+          userMessage = e.message,
+        ),
+      )
+  }
+
+  @ExceptionHandler(ForbiddenByUpstreamServiceException::class)
+  fun handleAuthenticationFailedException(e: ForbiddenByUpstreamServiceException): ResponseEntity<ErrorResponse?>? {
+    logAndCapture("Forbidden to complete action by upstream service: {}", e)
     return ResponseEntity
       .status(FORBIDDEN)
       .body(
         ErrorResponse(
           status = FORBIDDEN,
-          developerMessage = "Authentication error: ${e.message}",
+          developerMessage = "Forbidden to complete action by upstream service: ${e.message}",
           userMessage = e.message,
         ),
       )
@@ -74,29 +91,29 @@ class HmppsIntegrationApiExceptionHandler {
       )
   }
 
-  @ExceptionHandler(WebClientResponseException::class)
-  fun handleWebClientResponseException(e: WebClientResponseException): ResponseEntity<ErrorResponse?>? {
-    logAndCapture("Upstream service down: {}", e)
+  @ExceptionHandler(ConflictFoundException::class)
+  fun handleConflictException(e: ConflictFoundException): ResponseEntity<ErrorResponse> {
+    logAndCapture("Conflict exception: {}", e)
     return ResponseEntity
-      .status(INTERNAL_SERVER_ERROR)
+      .status(CONFLICT)
       .body(
         ErrorResponse(
-          status = INTERNAL_SERVER_ERROR,
-          developerMessage = "Unable to complete request as an upstream service is not responding",
+          status = CONFLICT,
+          developerMessage = "Unable to complete request as this is a duplicate request",
           userMessage = e.message,
         ),
       )
   }
 
-  @ExceptionHandler(MessageFailedException::class)
-  fun handleMessageFailedExceptionException(e: MessageFailedException): ResponseEntity<ErrorResponse?>? {
-    logAndCapture("Unable to send message to SQS: {}", e)
+  @ExceptionHandler(WebClientResponseException::class)
+  fun handleWebClientResponseException(e: WebClientResponseException): ResponseEntity<ErrorResponse?>? {
+    logAndCapture("Upstream service down: {}", e)
     return ResponseEntity
       .status(INTERNAL_SERVER_ERROR)
       .body(
         ErrorResponse(
           status = INTERNAL_SERVER_ERROR,
-          developerMessage = "Unable to send message to SQS",
+          developerMessage = "Unable to complete request as an upstream service is not responding",
           userMessage = e.message,
         ),
       )

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/config/OpenAPIConfig.kt

@@ -77,6 +77,24 @@ class OpenAPIConfig {
                 "developerMessage" to Schema<String>().type("string").example("Unable to complete request as an upstream service is not responding."),
               ),
             ),
+          ).addSchemas(
+            "TransactionConflict",
+            Schema<ErrorResponse>().description("Duplicate post - The client_unique_ref has been used before").properties(
+              mapOf(
+                "status" to Schema<Int>().type("number").example(409),
+                "userMessage" to Schema<String>().type("string").example("Conflict"),
+                "developerMessage" to Schema<String>().type("string").example("Duplicate post - The client_unique_ref has been used before"),
+              ),
+            ),
+          ).addSchemas(
+            "ForbiddenResponse",
+            Schema<ErrorResponse>().description("Forbidden to complete action by upstream service").properties(
+              mapOf(
+                "status" to Schema<Int>().type("number").example(403),
+                "userMessage" to Schema<String>().type("string").example("Forbidden to complete action by upstream service"),
+                "developerMessage" to Schema<String>().type("string").example("Forbidden to complete action by upstream service"),
+              ),
+            ),
           )
       }
     }

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/config/RequestLogger.kt

@@ -5,7 +5,6 @@ import jakarta.servlet.http.HttpServletResponse
 import org.slf4j.LoggerFactory
 import org.springframework.stereotype.Component
 import org.springframework.web.servlet.HandlerInterceptor
-import java.util.stream.Collectors
 
 // Intercepts incoming requests and logs them
 @Component
@@ -32,8 +31,9 @@ class RequestLogger : HandlerInterceptor {
     val method: String = "Method: " + request.method
     val endpoint: String = "Request URI: " + request.requestURI // Could this expose authentication credentials?
     val requestURL: String = "Full Request URL: " + request.requestURL
-    val body: String = ("Body: " + request.reader.lines().collect(Collectors.joining()))
+    // Unable to use reader here and read the request body into a controller method
+    // val body: String = ("Body: " + request.reader.lines().collect(Collectors.joining()))
 
-    return "$requestIp \n $method \n $endpoint \n $body \n $requestURL"
+    return "$requestIp \n $method \n $endpoint \n $requestURL"
   }
 }

src/main/kotlin/uk/gov/justice/digital/hmpps/hmppsintegrationapi/controllers/v1/RiskManagementController.kt

@@ -14,6 +14,7 @@ import org.springframework.web.bind.annotation.RequestParam
 import org.springframework.web.bind.annotation.RestController
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.config.AuthorisationConfig
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.EntityNotFoundException
+import uk.gov.justice.digital.hmpps.hmppsintegrationapi.exception.ForbiddenByUpstreamServiceException
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.extensions.decodeUrlCharacters
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.hmpps.RiskManagementPlan
 import uk.gov.justice.digital.hmpps.hmppsintegrationapi.models.hmpps.UpstreamApi
@@ -35,6 +36,7 @@ class RiskManagementController(
     summary = "Returns a list of Risk Management Plans created for the person with the provided HMPPS ID.",
     responses = [
       ApiResponse(responseCode = "200", useReturnTypeSchema = true, description = "Successfully found risk management plans for a person with the provided HMPPS ID."),
+      ApiResponse(responseCode = "403", content = [Content(schema = Schema(ref = "#/components/schemas/ForbiddenResponse"))]),
       ApiResponse(responseCode = "404", content = [Content(schema = Schema(ref = "#/components/schemas/PersonNotFound"))]),
       ApiResponse(responseCode = "500", content = [Content(schema = Schema(ref = "#/components/schemas/InternalServerError"))]),
     ],
@@ -46,14 +48,21 @@ class RiskManagementController(
   ): PaginatedResponse<RiskManagementPlan> {
     val hmppsId = encodedHmppsId.decodeUrlCharacters()
     val response = getRiskManagementPlansForCrnService.execute(hmppsId)
+
+    if (response.hasErrorCausedBy(UpstreamApiError.Type.ENTITY_NOT_FOUND, causedBy = UpstreamApi.RISK_MANAGEMENT_PLAN)) {
+      throw EntityNotFoundException("Could not find person with id: $hmppsId")
+    }
+
+    if (response.hasErrorCausedBy(UpstreamApiError.Type.FORBIDDEN, causedBy = UpstreamApi.RISK_MANAGEMENT_PLAN)) {
+      throw ForbiddenByUpstreamServiceException("Upstream API service returned a forbidden error")
+    }
+
+    auditService.createEvent("GET_RISK_MANAGEMENT_PLANS", mapOf("hmppsId" to hmppsId))
+
     if (response.data.isNullOrEmpty()) {
-      if (response.hasErrorCausedBy(UpstreamApiError.Type.ENTITY_NOT_FOUND, causedBy = UpstreamApi.RISK_MANAGEMENT_PLAN)) {
-        throw EntityNotFoundException("Could not find person with id: $hmppsId")
-      }
       return emptyList<RiskManagementPlan>().paginateWith(page, perPage)
     }
 
-    auditService.createEvent("GET_RISK_MANAGEMENT_PLANS", mapOf("hmppsId" to hmppsId))
     return response.data.paginateWith(page, perPage)
   }
 }