New: [AEA-5202] - Filter for sites with notifications allowed or denied (#1574)

## Summary

- ✨ New Feature

### Details

Adds a function on the producer side of EPS notifications that filters
out sites that are blocked, whilst only allowing through enabled
suppliers and sites. Case insensitive.

We want to maintain these lists in version control, so I've simply added
them as static data to the helper function file. There are also three
test cases for us to use in testing:
- Enabled test ODS code: `FA565`
- Enabled test supplier name: `Internal Test System`
- Blocked ODS code: `A83008`

Author: wildjames

SAMtemplates/functions/main.yaml

@@ -33,6 +33,15 @@ Parameters:
     Type: String
     Default: none
 
+  EnabledSiteODSCodesParam:
+    Type: AWS::SSM::Parameter::Value<String>
+
+  EnabledSystemsParam:
+    Type: AWS::SSM::Parameter::Value<String>
+
+  BlockedSiteODSCodesParam:
+    Type: AWS::SSM::Parameter::Value<String>
+    
   LogLevel:
     Type: String
 
@@ -83,6 +92,9 @@ Resources:
           TABLE_NAME: !Ref PrescriptionStatusUpdatesTableName
           NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL: !Ref NHSNotifyPrescriptionsSQSQueueUrl
           SQS_SALT: !Sub "{{resolve:secretsmanager:${SQSSaltSecret}:SecretString:salt}}"
+          ENABLED_SITE_ODS_CODES: !Ref EnabledSiteODSCodesParam
+          ENABLED_SYSTEMS: !Ref EnabledSystemsParam
+          BLOCKED_SITE_ODS_CODES: !Ref BlockedSiteODSCodesParam
           LOG_LEVEL: !Ref LogLevel
           ENVIRONMENT: !Ref Environment
           TEST_PRESCRIPTIONS_1: "None"

SAMtemplates/main_template.yaml

@@ -90,6 +90,14 @@ Parameters:
     Type: String
 
 Resources:
+  Parameters:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: parameters/main.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
+        Environment: !Ref Environment
+
   Tables:
     Type: AWS::Serverless::Application
     Properties:
@@ -136,6 +144,9 @@ Resources:
         PrescriptionStatusUpdatesTableName: !GetAtt Tables.Outputs.PrescriptionStatusUpdatesTableName
         PrescriptionNotificationStateTableName: !GetAtt Tables.Outputs.PrescriptionNotificationStateTableName
         NHSNotifyPrescriptionsSQSQueueUrl: !GetAtt Messaging.Outputs.NHSNotifyPrescriptionsSQSQueueUrl
+        EnabledSiteODSCodesParam: !GetAtt Parameters.Outputs.EnabledSiteODSCodesParameterName
+        EnabledSystemsParam: !GetAtt Parameters.Outputs.EnabledSystemsParameterName
+        BlockedSiteODSCodesParam: !GetAtt Parameters.Outputs.BlockedSiteODSCodesParameterName
         LogLevel: !Ref LogLevel
         LogRetentionInDays: !Ref LogRetentionInDays
         EnableSplunk: !Ref EnableSplunk

SAMtemplates/parameters/main.yaml

@@ -0,0 +1,79 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: >-
+  SSM Parameter Store entries. Values may differ between prod and non-prod environments
+
+Parameters:
+  StackName:
+    Type: String
+
+  Environment:
+    Type: String
+
+Conditions:
+  IsProd: !Equals [ !Ref Environment, prod ]
+
+Resources:
+  EnabledSiteODSCodesParameter:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: !Sub ${StackName}-PSUNotifyEnabledSiteODSCodes
+      Description: "List of site ODS codes for which notifications are enabled"
+      Type: String
+      Value: !If
+        - IsProd
+        - > # Prod notification enabled
+          FA565
+        - > # Non-prod
+          FA565
+
+  EnabledSystemsParameter:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: !Sub ${StackName}-PSUNotifyEnabledSystems
+      Description: "List of application names for which notifications are enabled"
+      Type: String
+      Value: !If
+        - IsProd
+        - > # Prod notification enabled
+          Apotec Ltd - Apotec CRM - Production,
+          CrxPatientApp,
+          nhsPrescriptionApp,
+          Titan PSU Prod
+        - > # Non-prod
+          Internal Test System,
+          Apotec Ltd - Apotec CRM - Production,
+          CrxPatientApp,
+          nhsPrescriptionApp,
+          Titan PSU Prod
+
+  BlockedSiteODSCodesParameter:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: !Sub ${StackName}-PSUNotifyBlockedSiteODSCodes
+      Description: "List of site ODS codes for which notifications are blocked"
+      Type: String
+      Value: !If
+        - IsProd
+        - > # Prod notification disabled
+          A83008
+        - > # Non-prod
+          A83008
+
+Outputs:
+  EnabledSiteODSCodesParameterName:
+    Description: "Name of the SSM parameter holding enabled site ODS codes"
+    Value: !Ref EnabledSiteODSCodesParameter
+    Export:
+      Name: !Sub ${StackName}-PSUNotifyEnabledSiteODSCodesParam
+
+  EnabledSystemsParameterName:
+    Description: "Name of the SSM parameter holding enabled system names"
+    Value: !Ref EnabledSystemsParameter
+    Export:
+      Name: !Sub ${StackName}-PSUNotifyEnabledSystemsParam
+
+  BlockedSiteODSCodesParameterName:
+    Description: "Name of the SSM parameter holding blocked site ODS codes"
+    Value: !Ref BlockedSiteODSCodesParameter
+    Export:
+      Name: !Sub ${StackName}-PSUNotifyBlockedSiteODSCodesParam

packages/common/commonTypes/src/index.ts

@@ -1,14 +1,14 @@
 export interface PSUDataItem {
-    LastModified: string
-    LineItemID: string
-    PatientNHSNumber: string
-    PharmacyODSCode: string
-    PrescriptionID: string
-    RepeatNo?: number
-    RequestID: string
-    Status: string
-    TaskID: string
-    TerminalStatus: string
-    ApplicationName: string
-    ExpiryTime: number
-  }
+  LastModified: string
+  LineItemID: string
+  PatientNHSNumber: string
+  PharmacyODSCode: string
+  PrescriptionID: string
+  RepeatNo?: number
+  RequestID: string
+  Status: string
+  TaskID: string
+  TerminalStatus: string
+  ApplicationName: string
+  ExpiryTime: number
+}

packages/updatePrescriptionStatus/.jest/setEnvVars.js

@@ -2,3 +2,6 @@
 process.env.NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL = "dummy_notify_sqs";
 process.env.AWS_REGION = "eu-west-2";
 process.env.SQS_SALT = "the quick brown fox something something"
+process.env.ENABLED_SITE_ODS_CODES = "FA565"
+process.env.ENABLED_SYSTEMS = "Internal Test System,Apotec Ltd - Apotec CRM - Production,CrxPatientApp,nhsPrescriptionApp,Titan PSU Prod"
+process.env.BLOCKED_SITE_ODS_CODES = "A83008"

packages/updatePrescriptionStatus/src/updatePrescriptionStatus.ts

@@ -11,6 +11,8 @@ import httpHeaderNormalizer from "@middy/http-header-normalizer"
 import errorHandler from "@nhs/fhir-middy-error-handler"
 import {Bundle, BundleEntry, Task} from "fhir/r4"
 
+import {PSUDataItem} from "@PrescriptionStatusUpdate_common/commonTypes"
+
 import {transactionBundle, validateEntry} from "./validation/content"
 import {getPreviousItem, persistDataItems} from "./utils/databaseClient"
 import {jobWithTimeout, hasTimedOut} from "./utils/timeoutUtils"
@@ -42,21 +44,6 @@ export const TEST_PRESCRIPTIONS_1 = (process.env.TEST_PRESCRIPTIONS_1 ?? "")
 export const TEST_PRESCRIPTIONS_2 = (process.env.TEST_PRESCRIPTIONS_2 ?? "")
   .split(",").map(item => item.trim()) || []
 
-export interface DataItem {
-  LastModified: string
-  LineItemID: string
-  PatientNHSNumber: string
-  PharmacyODSCode: string
-  PrescriptionID: string
-  RepeatNo?: number
-  RequestID: string
-  Status: string
-  TaskID: string
-  TerminalStatus: string
-  ApplicationName: string
-  ExpiryTime: number
-}
-
 const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayProxyResult> => {
   logger.appendKeys({
     "nhsd-correlation-id": event.headers["nhsd-correlation-id"],
@@ -260,16 +247,16 @@ export function buildDataItems(
   requestEntries: Array<BundleEntry>,
   xRequestID: string,
   applicationName: string
-): Array<DataItem> {
-  const dataItems: Array<DataItem> = []
+): Array<PSUDataItem> {
+  const dataItems: Array<PSUDataItem> = []
 
   for (const requestEntry of requestEntries) {
     const task = requestEntry.resource as Task
     logger.info("Building data item for task.", {task: task, id: task.id})
 
     const repeatNo = task.input?.[0]?.valueInteger
 
-    const dataItem: DataItem = {
+    const dataItem: PSUDataItem = {
       LastModified: task.lastModified!,
       LineItemID: task.focus!.identifier!.value!.toUpperCase(),
       PatientNHSNumber: task.for!.identifier!.value!,
@@ -300,7 +287,7 @@ function response(statusCode: number, responseEntries: Array<BundleEntry>) {
   }
 }
 
-async function logTransitions(dataItems: Array<DataItem>): Promise<void> {
+async function logTransitions(dataItems: Array<PSUDataItem>): Promise<void> {
   for (const dataItem of dataItems) {
     try {
       const previousItem = await getPreviousItem(dataItem)

packages/updatePrescriptionStatus/src/utils/databaseClient.ts

@@ -11,15 +11,15 @@ import {
 } from "@aws-sdk/client-dynamodb"
 import {marshall, unmarshall} from "@aws-sdk/util-dynamodb"
 
-import {DataItem} from "../updatePrescriptionStatus"
+import {PSUDataItem} from "@PrescriptionStatusUpdate_common/commonTypes"
 import {Timeout} from "./timeoutUtils"
 
 const client = new DynamoDBClient()
 const tableName = process.env.TABLE_NAME ?? "PrescriptionStatusUpdates"
 
-function createTransactionCommand(dataItems: Array<DataItem>, logger: Logger): TransactWriteItemsCommand {
+function createTransactionCommand(dataItems: Array<PSUDataItem>, logger: Logger): TransactWriteItemsCommand {
   logger.info("Creating transaction command to write data items.")
-  const transactItems: Array<TransactWriteItem> = dataItems.map((d: DataItem): TransactWriteItem => {
+  const transactItems: Array<TransactWriteItem> = dataItems.map((d: PSUDataItem): TransactWriteItem => {
     return {
       Put: {
         TableName: tableName,
@@ -32,7 +32,7 @@ function createTransactionCommand(dataItems: Array<DataItem>, logger: Logger): T
   return new TransactWriteItemsCommand({TransactItems: transactItems})
 }
 
-export async function persistDataItems(dataItems: Array<DataItem>, logger: Logger): Promise<boolean | Timeout> {
+export async function persistDataItems(dataItems: Array<PSUDataItem>, logger: Logger): Promise<boolean | Timeout> {
   const transactionCommand = createTransactionCommand(dataItems, logger)
   try {
     logger.info("Sending TransactWriteItemsCommand to DynamoDB.", {command: transactionCommand})
@@ -72,7 +72,7 @@ export async function checkPrescriptionRecordExistence(
   }
 }
 
-export async function getPreviousItem(currentItem: DataItem): Promise<DataItem | undefined> {
+export async function getPreviousItem(currentItem: PSUDataItem): Promise<PSUDataItem | undefined> {
   const query: QueryCommandInput = {
     TableName: tableName,
     KeyConditions: {
@@ -90,7 +90,7 @@ export async function getPreviousItem(currentItem: DataItem): Promise<DataItem |
   }
 
   let lastEvaluatedKey
-  let items: Array<DataItem> = []
+  let items: Array<PSUDataItem> = []
   do {
     if (lastEvaluatedKey) {
       query.ExclusiveStartKey = lastEvaluatedKey
@@ -99,7 +99,7 @@ export async function getPreviousItem(currentItem: DataItem): Promise<DataItem |
     if (result.Items) {
       items = items.concat(
         result.Items
-          .map((item) => unmarshall(item) as DataItem)
+          .map((item) => unmarshall(item) as PSUDataItem)
           .filter((item) => item.TaskID !== currentItem.TaskID) // Can't do NE in the query so filter here
       )
     }

packages/updatePrescriptionStatus/src/utils/sqsClient.ts

@@ -3,10 +3,13 @@ import {SQSClient, SendMessageBatchCommand} from "@aws-sdk/client-sqs"
 
 import {createHmac} from "crypto"
 
-import {DataItem} from "../updatePrescriptionStatus"
+import {PSUDataItem} from "@PrescriptionStatusUpdate_common/commonTypes"
+
+import {checkSiteOrSystemIsNotifyEnabled} from "../validation/notificationSiteAndSystemFilters"
 
 const sqsUrl: string | undefined = process.env.NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL
-const sqsSalt: string = process.env.SQS_SALT ?? "DEVSALT"
+const fallbackSalt = "DEV SALT"
+const sqsSalt: string = process.env.SQS_SALT ?? fallbackSalt
 
 // The AWS_REGION is always defined in lambda environments
 const sqs = new SQSClient({region: process.env.AWS_REGION})
@@ -33,26 +36,26 @@ function chunkArray<T>(arr: Array<T>, size: number): Array<Array<T>> {
  * @param hashFunction - Which hash function to use. HMAC compatible. Defaults to SHA-256
  * @returns - A hex encoded string of the hash
  */
-export function saltedHash(input: string, hashFunction: string = "sha256"): string {
-  if (sqsSalt === "DEVSALT") {
-    console.warn("Using the fallback salt value - please update the environment variable `SQS_SALT` to a random value.")
+export function saltedHash(logger: Logger, input: string, hashFunction: string = "sha256"): string {
+  if (sqsSalt === fallbackSalt) {
+    logger.warn("Using the fallback salt value - please update the environment variable `SQS_SALT` to a random value.")
   }
   return createHmac(hashFunction, sqsSalt)
     .update(input, "utf8")
     .digest("hex")
 }
 
 /**
- * Pushes an array of DataItems to the notifications SQS queue
+ * Pushes an array of PSUDataItem to the notifications SQS queue
  * Uses SendMessageBatch to send up to 10 at a time
  *
  * @param requestId - The x-request-id header from the incoming event
- * @param data - Array of DataItems to send to SQS
+ * @param data - Array of PSUDataItem to send to SQS
  * @param logger - Logger instance
  */
 export async function pushPrescriptionToNotificationSQS(
   requestId: string,
-  data: Array<DataItem>,
+  data: Array<PSUDataItem>,
   logger: Logger
 ) {
   logger.info("Checking if any items require notifications", {numItemsToBeChecked: data.length, sqsUrl})
@@ -62,8 +65,17 @@ export async function pushPrescriptionToNotificationSQS(
     throw new Error("Notifications SQS URL not configured")
   }
 
+  // Only allow through sites and systems that are allowedSitesAndSystems
+  const allowedSitesAndSystemsData = checkSiteOrSystemIsNotifyEnabled(data)
+  logger.info(
+    "Filtered out sites and suppliers that are not enabled, or are explicitly disabled",
+    {
+      numItemsAllowed: allowedSitesAndSystemsData.length
+    }
+  )
+
   // SQS batch calls are limited to 10 messages per request, so chunk the data
-  const batches = chunkArray(data, 10)
+  const batches = chunkArray(allowedSitesAndSystemsData, 10)
 
   // Only these statuses will be pushed to the SQS
   const updateStatuses: Array<string> = [
@@ -80,7 +92,7 @@ export async function pushPrescriptionToNotificationSQS(
         MessageBody: JSON.stringify(item),
         // FIFO
         // We dedupe on both nhs number and ods code
-        MessageDeduplicationId: saltedHash(`${item.PatientNHSNumber}:${item.PharmacyODSCode}`),
+        MessageDeduplicationId: saltedHash(logger, `${item.PatientNHSNumber}:${item.PharmacyODSCode}`),
         MessageGroupId: requestId
       }))
     // We could do a round of deduplications here, but benefits would be minimal and AWS SQS will do it for us anyway.