Ryan morosa/bb2 4782 respect v3 app setting calls (#1596)

* Get it initially working

* Do some cleanup

* Get other test placeholders in place

* fix more repo typos (#1585)

* fix typo in constant

* fix typo in css class and feature switch description

* fix typo in acronym

SAMHSA is the correct spelling

* partial revert "fix typo in css class and feature switch description"

Fixing the typo in the CSS class seems to add a box that looks out of
place on the signup page, so reverting for now.

This partially reverts commit e5fe41a.

* BB2-4780 block v1/v2 EOB calls for tokens that suppress SAMSHA data (#1594)

Blocks EOB calls on v1/v2 for tokens where the user has gone through a v3 auth flow and elected not to share SAMSHA data.

* add permission that blocks EOB requests in v1/2 for tokens that suppress SAMSHA data

* fix typo (SAMHSA is the correct spelling)

* add tests for SamhsaPermission

* remove commented-out test

I believe this will be covered in future work.

* remove TODO comment

* mark tests as integration tests

* remove integration tag

This test fails before any requests to BFD happen, so it does not need
all the setup of an integration test.

* change to absolute import

* use request.auth, which is documented

_auth does not, at least that I could find

* rename class to hopefully make meaning clearer

* rename class

We generally assume v2 means 1 or 2.

* Get rid of comment

* Get rid of changes in generic

* More cleanup

* Get rid of ruff errors

* Get unit tests working

* Get integration tests to better place

* Get unit test working better

* Make function has_protected_resource a lot nicer looking

* Small cleanup

* Fix unit tests

* Adjust var names

* Fix unit test class and function names

* Make other integration tests

* Get rid of edit to test_integration_fhir

* Update constants

* Make edit to error fix

* Add override switch for v3 endpoints back

---------

Co-authored-by: annamontare-nava <267455234+annamontare-nava@users.noreply.github.com>

Author: ryan-morosa

apps/capabilities/permissions.py

@@ -1,12 +1,10 @@
-import json
-import re
-
-from apps.dot_ext.scopes import CapabilitiesScopes
 from rest_framework import permissions, status
 from rest_framework.exceptions import APIException, ParseError
 from waffle import switch_is_active
 
 from apps.capabilities.models import ProtectedCapability
+from apps.dot_ext.scopes import CapabilitiesScopes
+from apps.utils import has_matching_protected_resource
 
 
 class BBCapabilitiesPermissionTokenScopeMissingException(APIException):
@@ -37,20 +35,15 @@ def has_permission(self, request, view) -> bool:  # type: ignore
                 if 'coverage-eligibility' in request.auth.application.get_internal_application_labels():
                     token_scopes = CapabilitiesScopes().remove_eob_scopes(token_scopes)
 
-            scopes = list(
-                ProtectedCapability.objects.filter(slug__in=token_scopes).values_list('protected_resources', flat=True).all()
+            protected_resources = list(
+                ProtectedCapability.objects.filter(slug__in=token_scopes)
+                .values_list('protected_resources', flat=True)
+                .all()
             )
 
-            for scope in scopes:
-                for method, path in json.loads(scope):
-                    if method != request.method:
-                        continue
-                    if path == request.path:
-                        return True
-                    if re.fullmatch(path, request.path) is not None:
-                        return True
+            has_match = has_matching_protected_resource(protected_resources, request)
+            return has_match
 
-            return False
         else:
             # BB2-237: Replaces ASSERT with exception. We should never reach here.
             mesg = (

apps/constants.py

@@ -28,6 +28,14 @@
     ' the support team for the application you are trying to access.'
 )
 
+# Message output when an app attempts a v3 call but they don't have the correct scopes
+APPLICATION_DOES_NOT_HAVE_VALID_SCOPES = (
+    'This application, {}, does not have access to make calls for {} resources.'
+    ' If you are the app maintainer, please contact the Blue Button API team.'
+    ' If you are a Medicare Beneficiary and need assistance, please contact'
+    ' the support team for the application you are trying to access.'
+)
+
 C4BB_PROFILE_URLS = {
     'COVERAGE': 'http://hl7.org/fhir/us/carin-bb/StructureDefinition/C4BB-Coverage',
     'PATIENT': 'http://hl7.org/fhir/us/carin-bb/StructureDefinition/C4BB-Patient',

apps/fhir/bluebutton/permissions.py

@@ -1,16 +1,24 @@
 import logging
 
 from django.contrib.auth import get_user_model
-from oauth2_provider.views.base import get_access_token_model
 from oauth2_provider.models import get_application_model
-from rest_framework import permissions, exceptions
+from oauth2_provider.views.base import get_access_token_model
+from rest_framework import exceptions, permissions
 from rest_framework.exceptions import AuthenticationFailed, PermissionDenied
+from rest_framework.request import Request
 from waffle import get_waffle_flag_model
-from apps.constants import APPLICATION_TEMPORARILY_INACTIVE, APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET, FHIR_RES_TYPE_EOB
-from apps.fhir.constants import ALLOWED_RESOURCE_TYPES
-from apps.versions import Versions, VersionNotMatched
 
-from apps.constants import HHS_SERVER_LOGNAME_FMT
+from apps.capabilities.models import ProtectedCapability
+from apps.constants import (
+    APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET,
+    APPLICATION_DOES_NOT_HAVE_VALID_SCOPES,
+    APPLICATION_TEMPORARILY_INACTIVE,
+    FHIR_RES_TYPE_EOB,
+    HHS_SERVER_LOGNAME_FMT,
+)
+from apps.fhir.constants import ALLOWED_RESOURCE_TYPES
+from apps.utils import has_matching_protected_resource
+from apps.versions import VersionNotMatched, Versions
 
 logger = logging.getLogger(HHS_SERVER_LOGNAME_FMT.format(__name__))
 
@@ -113,6 +121,40 @@ def has_permission(self, request, view):
             raise PermissionDenied(APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET.format(application.name))
 
 
+class AppScopePermission(permissions.BasePermission):
+    def has_permission(self, request: Request, view) -> bool:
+        """
+        Determines if the user/app has permission to make the call it's trying to make. Takes care of the
+        case where a user/app goes through a v1/v2 auth flow and tries to make a v3 call that it's not authorized to make.
+
+        args:
+          - request: The API Request
+          - view: The view (search, read, etc.)
+        returns:
+          - True if there is a match with the current request and the protected resources the app has in the database.
+          - Raises a custom 403 Forbidden error if not
+        """
+        # if it is not version 3, we do not need to check the scopes
+        if view.version < Versions.V3:
+            return True
+
+        token = get_access_token_model().objects.get(token=request._auth)
+        token_app_id = token.application_id
+        if not token or not token_app_id:
+            return False
+        app_protected_resources = list(
+            ProtectedCapability.objects.filter(application=token_app_id)
+            .values_list('protected_resources', flat=True)
+            .all()
+        )
+        has_match = has_matching_protected_resource(app_protected_resources, request)
+        if not has_match:
+            raise PermissionDenied(
+                APPLICATION_DOES_NOT_HAVE_VALID_SCOPES.format(token.application, request.resource_type)
+            )
+        return has_match
+
+
 class V2ExplanationOfBenefitPermission(permissions.BasePermission):
     """
     Global permission check that the request is either:

apps/fhir/bluebutton/tests/test_fhir_resources_read_search_w_validation.py

@@ -8,8 +8,16 @@
 from oauth2_provider.models import get_access_token_model
 from waffle.testutils import override_switch
 
-from apps.constants import C4BB_PROFILE_URLS, DEFAULT_SAMPLE_FHIR_ID_V2, DEFAULT_SAMPLE_FHIR_ID_V3
-from apps.dot_ext.models import AccessTokenExtension
+from apps.constants import (
+    APPLICATION_DOES_NOT_HAVE_VALID_SCOPES,
+    C4BB_PROFILE_URLS,
+    COVERAGE_SCOPE,
+    DEFAULT_SAMPLE_FHIR_ID_V2,
+    DEFAULT_SAMPLE_FHIR_ID_V3,
+    EOB_SCOPE,
+    PATIENT_SCOPE,
+)
+from apps.dot_ext.models import AccessTokenExtension, Application, ProtectedCapability
 from apps.fhir.constants import (
     BAD_PARAMS_ACCEPTABLE_VERSIONS,
     C4BB_SYSTEM_TYPES,
@@ -604,18 +612,21 @@ def test_patient_request_when_thrown_when_invalid_parameters_included_v1_and_v2(
             url = SEARCH_PATIENT_URLS[version]
             self._test_request_when_invalid_parameters_included(url, version, HTTPStatus.OK, ENFORCE_PARAM_VALIDATION)
 
+    @tag('integration')
     def test_eob_request_when_thrown_when_invalid_parameters_and_prefer_strict_header_included_v3(self) -> None:
         url = SEARCH_EOB_URLS[Versions.V3]
         self._test_request_when_invalid_parameters_included(
             url, Versions.V3, HTTPStatus.BAD_REQUEST, ENFORCE_PARAM_VALIDATION
         )
 
+    @tag('integration')
     def test_coverage_request_when_thrown_when_invalid_parameters_and_prefer_strict_header_included_v3(self) -> None:
         url = SEARCH_COVERAGE_URLS[Versions.V3]
         self._test_request_when_invalid_parameters_included(
             url, Versions.V3, HTTPStatus.BAD_REQUEST, ENFORCE_PARAM_VALIDATION
         )
 
+    @tag('integration')
     def test_patient_request_when_invalid_parameters_and_prefer_strict_header_included_v3(self) -> None:
         url = SEARCH_PATIENT_URLS[Versions.V3]
         self._test_request_when_invalid_parameters_included(
@@ -742,6 +753,7 @@ def test_v12_no_extension_succeeds(self):
             response = self.client.get(reverse(SEARCH_EOB_URLS[version]), Authorization=f'Bearer {ac}')
             self.assertEqual(response.status_code, 200)
 
+    @tag('integration')
     def test_v12_include_samhsa_false_fails(self):
         """
         Ensure that a v1/2 call for a token with AccessTokenExtension.include_samhsa==False fails
@@ -773,3 +785,102 @@ def test_v12_include_samhsa_true_succeeds(self):
         for version in [Versions.V1, Versions.V2]:
             response = self.client.get(reverse(SEARCH_EOB_URLS[version]), Authorization=f'Bearer {ac}')
             self.assertEqual(response.status_code, 200)
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_matching_patient_protected_resource_returns_200(self):
+        """
+        Returns a 200 since the patient resource is for a patient and they are trying to make a patient call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        response = self.client.get(
+            reverse(SEARCH_PATIENT_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}'
+        )
+        self.assertEqual(response.status_code, 200)
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_matching_coverage_protected_resource_returns_200(self):
+        """
+        Returns a 200 since the coverage resource is for coverage and they are trying to make a coverage call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        response = self.client.get(
+            reverse(SEARCH_COVERAGE_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}'
+        )
+        self.assertEqual(response.status_code, 200)
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_matching_eob_protected_resource_returns_200(self):
+        """
+        Returns a 200 since the eob resource is for eob and they are trying to make a eob call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        response = self.client.get(reverse(SEARCH_EOB_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}')
+        self.assertEqual(response.status_code, 200)
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_no_matching_patient_protected_resource_returns_403(self):
+        """
+        Returns a 403 since the patient resource is removed from the database and they are trying to make a patient call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        # Remove the patient scope for that app and try to make a call
+        application = Application.objects.get(name='John_Smith_test')
+        patient_protected_resource = ProtectedCapability.objects.get(title=PATIENT_SCOPE)
+        application.scope.remove(patient_protected_resource)
+
+        response = self.client.get(
+            reverse(SEARCH_PATIENT_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}'
+        )
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json()['detail'], APPLICATION_DOES_NOT_HAVE_VALID_SCOPES.format('John_Smith_test', 'Patient')
+        )
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_no_matching_coverage_protected_resource_returns_403(self):
+        """
+        Returns a 403 since the coverage resource is removed from the database and they are trying to make a coverage call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        # Remove the coverage scope for that app and try to make a call
+        application = Application.objects.get(name='John_Smith_test')
+        coverage_protected_resource = ProtectedCapability.objects.get(title=COVERAGE_SCOPE)
+        application.scope.remove(coverage_protected_resource)
+
+        response = self.client.get(
+            reverse(SEARCH_COVERAGE_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}'
+        )
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json()['detail'], APPLICATION_DOES_NOT_HAVE_VALID_SCOPES.format('John_Smith_test', 'Coverage')
+        )
+
+    @tag('integration')
+    @override_switch('v3_endpoints', active=True)
+    def test_no_matching_eob_protected_resource_returns_403(self):
+        """
+        Returns a 403 since the eob resource is removed from the database and they are trying to make an eob call.
+        """
+        first_access_token = self.create_token('John', 'Smith', fhir_id_v2=DEFAULT_SAMPLE_FHIR_ID_V2)
+
+        # Remove the eob scope for that app and try to make a call
+        application = Application.objects.get(name='John_Smith_test')
+        eob_protected_resource = ProtectedCapability.objects.get(title=EOB_SCOPE)
+        application.scope.remove(eob_protected_resource)
+
+        response = self.client.get(reverse(SEARCH_EOB_URLS[Versions.V3]), Authorization=f'Bearer {first_access_token}')
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json()['detail'],
+            APPLICATION_DOES_NOT_HAVE_VALID_SCOPES.format('John_Smith_test', 'ExplanationOfBenefit'),
+        )