Skip to content

nhs number validation fix #549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Karthikeyannhs wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

nhs number validation fix #549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/eligibility_signposting_api/common/request_validator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@ def validate_request_params() -> Callable:
def decorator(func: Callable) -> Callable:
@wraps(func)
def wrapper(*args, **kwargs) -> ResponseReturnValue: # noqa:ANN002,ANN003
path_nhs_number = str(kwargs.get("nhs_number"))
header_nhs_no = str(request.headers.get(NHS_NUMBER_HEADER))
path_nhs_number = str(kwargs.get("nhs_number")) if kwargs.get("nhs_number") else None
header_nhs_no = str(request.headers.get(NHS_NUMBER_HEADER)) if request.headers.get(NHS_NUMBER_HEADER) else None

if not validate_nhs_number(path_nhs_number, header_nhs_no):
message = "You are not authorised to request information for the supplied NHS Number"
Expand Down
50 changes: 50 additions & 0 deletions tests/integration/in_process/test_eligibility_endpoint.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
from http import HTTPStatus

import pytest
from botocore.client import BaseClient
from brunns.matchers.data import json_matching as is_json_that
from brunns.matchers.werkzeug import is_werkzeug_response as is_response
Expand Down Expand Up @@ -39,6 +40,55 @@ def test_nhs_number_given(
is_response().with_status_code(HTTPStatus.OK).and_text(is_json_that(has_key("processedSuggestions"))),
)

@pytest.mark.parametrize(
"headers",
[
{"nhs-login-nhs-number": None}, # header present but empty
{}, # header missing entirely
{"nhs-login-nhs-number": ""}, # header present but blank
],
)
def test_nhs_number_given_but_no_nhs_number_in_header(
self,
client: FlaskClient,
persisted_person: NHSNumber,
campaign_config: CampaignConfig, # noqa: ARG002
secretsmanager_client: BaseClient, # noqa: ARG002
headers: dict,
):
# Given
# When
response = client.get(f"/patient-check/{persisted_person}", headers=headers)

# Then
assert_that(
response,
is_response()
.with_status_code(HTTPStatus.OK)
.and_text(is_json_that(has_key("processedSuggestions"))),
)

def test_nhs_number_given_but_header_nhs_number_doesnt_match(
self,
client: FlaskClient,
persisted_person: NHSNumber,
campaign_config: CampaignConfig, # noqa: ARG002
secretsmanager_client: BaseClient, # noqa: ARG002
):
# Given
headers = {"nhs-login-nhs-number": f"123{str(persisted_person)}"}

# When
response = client.get(f"/patient-check/{persisted_person}", headers=headers)

# Then
assert_that(
response,
is_response()
.with_status_code(HTTPStatus.FORBIDDEN)
.and_text(is_json_that(has_entries(resourceType="OperationOutcome"))),
)

def test_no_nhs_number_given(self, client: FlaskClient):
# Given

Expand Down
16 changes: 13 additions & 3 deletions tests/unit/common/test_request_validator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,9 @@ class TestValidateNHSNumber:
("path_nhs", "header_nhs", "expected_result", "expected_log_msg"),
[
(None, None, False, "NHS number is not present in path"),
("1234567890", None, True, None),
(None, "1234567890", False, "NHS number is not present in path"),
("1234567890", None, True, None),
("1234567890", "", True, None),
("1234567890", "0987654321", False, "NHS number mismatch"),
("1234567890", "1234567890", True, None),
],
Expand All @@ -40,15 +41,24 @@ def test_validate_nhs_number(self, path_nhs, header_nhs, expected_result, expect


class TestValidateRequestParams:
def test_validate_request_params_success(self, app, caplog):
@pytest.mark.parametrize(
"headers",
[
{"nhs-login-nhs-number": None}, # header present but empty
{}, # header missing entirely
{"nhs-login-nhs-number": ""}, # header present but blank
{"nhs-login-nhs-number": "1234567890"} # present and matches
],
)
def test_validate_request_params_success(self, headers, app, caplog):
mock_api = MagicMock(return_value="success")

decorator = request_validator.validate_request_params()
dummy_route = decorator(mock_api)

with app.test_request_context(
"/dummy?id=1234567890",
headers={"nhs-login-nhs-number": "1234567890"},
headers=headers,
method="GET",
):
with caplog.at_level(logging.INFO):
Expand Down