From 7de573ae2e5c020171efc8d2188a6d7f5c2f6b3b Mon Sep 17 00:00:00 2001
From: kevinmason-nhs <kevin.mason6@nhs.net>
Date: Wed, 30 Jul 2025 13:35:00 +0100
Subject: [PATCH 1/6] [ERSSUP-86798]-[PC]-[Add ODS APIGEE validation]-[KM]

---
 macros/manifest_macros.yml                    |   4 +-
 manifest_template.yml                         |  16 +-
 .../AssignMessage.InternalServerError.xml     |   7 +
 ...tOperationOutcomeODSHeaderMissingPreR4.xml |  18 ++
 ....SetOperationOutcomeODSHeaderMissingR4.xml |  19 ++
 ...omeODSHeaderValueNotInPartnerListPreR4.xml |  18 ++
 ...utcomeODSHeaderValueNotInPartnerListR4.xml |  18 ++
 ...essage.SetOperationOutcomeServiceError.xml |  19 ++
 .../FlowCallout.EUOAllowlistVerify.xml        |   5 +
 .../FlowCallout.ExtendedAttributes.xml        |   5 +
 proxies/live/apiproxy/proxies/default.xml     |  69 ++---
 proxies/live/apiproxy/targets/ers-target.xml  |  91 +++++-
 .../endpoints/a042-retrieve-attachment.yaml   |   2 +-
 tests/conftest.py                             |  30 +-
 tests/integration/test_headers.py             |   6 +-
 tests/integration/test_user_restricted.py     | 287 ++++++++++++++++++
 16 files changed, 558 insertions(+), 56 deletions(-)
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.InternalServerError.xml
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4.xml
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingR4.xml
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4.xml
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4.xml
 create mode 100644 proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeServiceError.xml
 create mode 100644 proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistVerify.xml
 create mode 100644 proxies/live/apiproxy/policies/FlowCallout.ExtendedAttributes.xml
 create mode 100644 tests/integration/test_user_restricted.py

diff --git a/macros/manifest_macros.yml b/macros/manifest_macros.yml
index c9426290f..b2f063576 100644
--- a/macros/manifest_macros.yml
+++ b/macros/manifest_macros.yml
@@ -3,12 +3,14 @@
     products:
 {% endmacro %}
 
-{%- macro product(ENV, MODE, TITLE, product_name, display_name) -%}
+{%- macro product(ENV, MODE, TITLE, product_name, display_name, euo_allowlist_required) -%}
       - name: e-referrals-service-api-{{ product_name }}{{ MODE.nameSuffix }}
         approvalType: {{ ENV.approval_type | default('auto') }}
         attributes:
           - name: access
             value: public
+          - name: EUOAllowlistRequired
+            value: {{ euo_allowlist_required }}
           - name: ratelimiting
             value:
               e-referrals-service-api-{{ product_name }}:
diff --git a/manifest_template.yml b/manifest_template.yml
index 4c04cbe9c..24b473d8a 100644
--- a/manifest_template.yml
+++ b/manifest_template.yml
@@ -16,23 +16,31 @@ APIGEE_ENVIRONMENTS:
   variants:
   - name: rc-internal-dev
     display_name: Internal Development - rc
+    euo_allowlist_required: false
   - name: fix-internal-dev
     display_name: Internal Development - fix
+    euo_allowlist_required: false
   - name: fti-internal-dev
     display_name: Internal Development - ft01
+    euo_allowlist_required: false
   - name: ftiv-internal-dev
     display_name: Internal Development - ft04
+    euo_allowlist_required: false
   - name: ftv-internal-dev
     display_name: Internal Development - ft05
+    euo_allowlist_required: false
   - name: ftix-internal-dev
     display_name: Internal Development - ft09
+    euo_allowlist_required: false
   - name: ftxxii-internal-dev
     display_name: Internal Development - ft22
+    euo_allowlist_required: false
 
 - name: internal-dev-sandbox
   variants:
     - name: internal-dev-sandbox
       display_name: Internal Development Sandbox
+      euo_allowlist_required: false
 
 - name: int
   additional_proxies:
@@ -41,6 +49,7 @@ APIGEE_ENVIRONMENTS:
   variants:
     - name: int
       display_name: Integration Testing
+      euo_allowlist_required: false
 
 - name: internal-qa
   additional_proxies:
@@ -49,16 +58,19 @@ APIGEE_ENVIRONMENTS:
   variants:
     - name: internal-qa
       display_name: Internal QA
+      euo_allowlist_required: false
 
 - name: internal-qa-sandbox
   variants:
     - name: internal-qa-sandbox
       display_name: Internal QA Sandbox
+      euo_allowlist_required: false
 
 - name: sandbox
   variants:
     - name: sandbox
       display_name: Sandbox
+      euo_allowlist_required: false
 
 - name: dev
   additional_proxies:
@@ -66,12 +78,14 @@ APIGEE_ENVIRONMENTS:
   variants:
   - name: dep-dev
     display_name: Dev - dep
+    euo_allowlist_required: false
 
 - name: prod
   approval_type: manual
   variants:
     - name: prod
       display_name: Production
+      euo_allowlist_required: false
 
 ACCESS_MODES:
   - name: healthcare-worker
@@ -104,7 +118,7 @@ apigee:
 
 {%    for VARIANT in ENV.variants %}
 {%      for MODE in ACCESS_MODES %}
-      {{ macros.product(ENV, MODE, TITLE, VARIANT.name, VARIANT.display_name) }}
+      {{ macros.product(ENV, MODE, TITLE, VARIANT.name, VARIANT.display_name, VARIANT.euo_allowlist_required) }}
 {%      endfor %}
 {%    endfor %}
 
diff --git a/proxies/live/apiproxy/policies/AssignMessage.InternalServerError.xml b/proxies/live/apiproxy/policies/AssignMessage.InternalServerError.xml
new file mode 100644
index 000000000..321aacd0c
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.InternalServerError.xml
@@ -0,0 +1,7 @@
+<AssignMessage continueOnError="false" enabled="true" name="AssignMessage.InternalServerError">
+    <DisplayName>AssignMessage.InternalServerError</DisplayName>
+    <Remove>
+        <Payload>Internal Server Error</Payload>
+    </Remove>
+    <AssignTo createNew="false" type="response"/>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4.xml
new file mode 100644
index 000000000..a10372bb6
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4.xml
@@ -0,0 +1,18 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>400</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>required</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>Missing or Empty NHSD-End-User-Organisation-ODS header.</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>MISSING_HEADER</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingR4.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingR4.xml
new file mode 100644
index 000000000..0c3c731fe
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderMissingR4.xml
@@ -0,0 +1,19 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeODSHeaderMissingR4">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>400</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>required</Value>
+    </AssignVariable>
+    <!-- Overrides OutcomeVariablesR4-->
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>MISSING_HEADER</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>Missing or Empty NHSD-End-User-Organisation-ODS header.</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4.xml
new file mode 100644
index 000000000..004f6489f
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4.xml
@@ -0,0 +1,18 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>403</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>Unauthorised ODS code provided in NHSD-End-User-Organisation-ODS header</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>NO_ACCESS</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4.xml
new file mode 100644
index 000000000..9bea7a9a8
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4.xml
@@ -0,0 +1,18 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>403</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>forbidden</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>Unauthorised ODS code provided in NHSD-End-User-Organisation-ODS header</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>ACCESS_DENIED</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeServiceError.xml b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeServiceError.xml
new file mode 100644
index 000000000..aac05d6c0
--- /dev/null
+++ b/proxies/live/apiproxy/policies/AssignMessage.SetOperationOutcomeServiceError.xml
@@ -0,0 +1,19 @@
+<AssignMessage enabled="true" name="AssignMessage.SetOperationOutcomeServiceError">
+    <AssignVariable>
+        <Name>status_code</Name>
+        <Value>500</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>op_outcome_issue_code</Name>
+        <Value>exception</Value>
+    </AssignVariable>
+    <!-- Overrides OutcomeVariablesR4-->
+    <AssignVariable>
+        <Name>op_outcome_issue_details_coding_code</Name>
+        <Value>SERVICE_ERROR</Value>
+    </AssignVariable>
+    <AssignVariable>
+        <Name>faultstring</Name>
+        <Value>Internal Server Error</Value>
+    </AssignVariable>
+</AssignMessage>
diff --git a/proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistVerify.xml b/proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistVerify.xml
new file mode 100644
index 000000000..026d951c2
--- /dev/null
+++ b/proxies/live/apiproxy/policies/FlowCallout.EUOAllowlistVerify.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<FlowCallout async="false" continueOnError="false" enabled="true" name="FlowCallout.EUOAllowlistVerify">
+    <DisplayName>EUOAllowlistVerify</DisplayName>
+    <SharedFlowBundle>EUOAllowlistVerify</SharedFlowBundle>
+</FlowCallout>
diff --git a/proxies/live/apiproxy/policies/FlowCallout.ExtendedAttributes.xml b/proxies/live/apiproxy/policies/FlowCallout.ExtendedAttributes.xml
new file mode 100644
index 000000000..c3a25f88d
--- /dev/null
+++ b/proxies/live/apiproxy/policies/FlowCallout.ExtendedAttributes.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<FlowCallout async="false" continueOnError="false" enabled="true" name="FlowCallout.ExtendedAttributes">
+    <DisplayName>Extract extended attribute</DisplayName>
+    <SharedFlowBundle>ExtendedAttributes</SharedFlowBundle>
+</FlowCallout>
diff --git a/proxies/live/apiproxy/proxies/default.xml b/proxies/live/apiproxy/proxies/default.xml
index 4b9fb99ce..d4f94f692 100644
--- a/proxies/live/apiproxy/proxies/default.xml
+++ b/proxies/live/apiproxy/proxies/default.xml
@@ -1,40 +1,38 @@
 <ProxyEndpoint name="default">
     <Flows>
-      <Flow name="AddPayloadToPing">
-        <Description/>
-        <Request/>
-        <Response>
-          <Step>
-            <Name>AssignMessage.AddPayloadToPing</Name>
-          </Step>
-        </Response>
-        <Condition>(proxy.pathsuffix MatchesPath "/_ping") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
-      </Flow>
-      <Flow name="StatusEndpoint">
-        <Description/>
-        <Request>
-          <Step>
-            <Name>KeyValueMapOperations.GetSharedSecureVariables</Name>
-          </Step>
-          <Step>
-            <Condition>(private.apigee.status-endpoint-api-key NotEquals request.header.apikey) or (private.apigee.status-endpoint-api-key Is null)</Condition>
-            <Name>RaiseFault.401Unauthorized</Name>
-          </Step>
-          <Step>
-            <Name>ServiceCallout.CallHealthcheckEndpoint</Name>
-          </Step>
-        </Request>
-        <Response>
-          <Step>
-            <Name>javascript.SetStatusResponse</Name>
-          </Step>
-        </Response>
-        <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
-      </Flow>
+        <Flow name="AddPayloadToPing">
+            <Description/>
+            <Request/>
+            <Response>
+                <Step>
+                    <Name>AssignMessage.AddPayloadToPing</Name>
+                </Step>
+            </Response>
+            <Condition>(proxy.pathsuffix MatchesPath "/_ping") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
+        </Flow>
+        <Flow name="StatusEndpoint">
+            <Description/>
+            <Request>
+                <Step>
+                    <Name>KeyValueMapOperations.GetSharedSecureVariables</Name>
+                </Step>
+                <Step>
+                    <Condition>(private.apigee.status-endpoint-api-key NotEquals request.header.apikey) or (private.apigee.status-endpoint-api-key Is null)</Condition>
+                    <Name>RaiseFault.401Unauthorized</Name>
+                </Step>
+                <Step>
+                    <Name>ServiceCallout.CallHealthcheckEndpoint</Name>
+                </Step>
+            </Request>
+            <Response>
+                <Step>
+                    <Name>javascript.SetStatusResponse</Name>
+                </Step>
+            </Response>
+            <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
+        </Flow>
     </Flows>
-    
     <PreFlow/>
-
     <PostClientFlow>
         <Response>
             <Step>
@@ -42,16 +40,15 @@
             </Step>
         </Response>
     </PostClientFlow>
-
     <HTTPProxyConnection>
         <BasePath>{{ SERVICE_BASE_PATH }}</BasePath>
         <VirtualHost>secure</VirtualHost>
     </HTTPProxyConnection>
     <RouteRule name="NoRoutePing">
-      <Condition>(proxy.pathsuffix MatchesPath "/_ping") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
+        <Condition>(proxy.pathsuffix MatchesPath "/_ping") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
     </RouteRule>
     <RouteRule name="NoRouteStatus">
-      <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
+        <Condition>(proxy.pathsuffix MatchesPath "/_status") and ((request.verb = "GET") or (request.verb = "HEAD"))</Condition>
     </RouteRule>
     <RouteRule name="e-referrals-service-api-target">
         <TargetEndpoint>e-referrals-service-api-target</TargetEndpoint>
diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
index 4add6f9c2..e6bfb2b1e 100644
--- a/proxies/live/apiproxy/targets/ers-target.xml
+++ b/proxies/live/apiproxy/targets/ers-target.xml
@@ -123,6 +123,64 @@
             </Step>
             <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
         </FaultRule>
+        <FaultRule name="ods_header_not_in_partner_list_error">
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4</Name>
+            </Step>
+        </FaultRule>
+        <FaultRule name="ods_header_missing_error">
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 400)</Condition>
+        </FaultRule>
+        <FaultRule name="euo_allowlist_internal_error">
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.InternalServerError</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeServiceError</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Step>
+                <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 500)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeInvalidBusinessFunction</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
+        </FaultRule>
     </FaultRules>
     <PreFlow>
         <Request>
@@ -135,6 +193,15 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
+            <!-- https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without -->
+            <Step>
+                <Name>FlowCallout.ExtendedAttributes</Name>
+                <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
+            </Step>
+            <Step>
+                <Name>FlowCallout.EUOAllowlistVerify</Name>
+                <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
+            </Step>
             <Step>
                 <Name>RaiseFault.MissingAsid</Name>
                 <Condition>(app.asid == null) Or (app.asid == "")</Condition>
@@ -174,29 +241,29 @@
             <Request><!--AUTHORISED_APPLICATION business functions are not supported in user restricted flow --><Step>
                     <Name>RaiseFault.InvalidBusinessFunction</Name>
                     <Condition>(request.header.nhsd-ers-business-function == "PROVIDER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "REFERRER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Set.x-ers-user-id-header-user-restricted</Name>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.NHSD-eRS-On-Behalf-Of-User-ID</Name>
                     <Condition>(request.header.NHSD-eRS-On-Behalf-Of-User-ID ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.nhsd-end-user-organisation-ods</Name>
                     <Condition>(request.header.nhsd-end-user-organisation-ods ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.nhsd-ers-business-function</Name>
                     <Condition>(request.header.nhsd-ers-business-function ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.nhsd-ers-comm-rule-org</Name>
                     <Condition>(request.header.nhsd-ers-comm-rule-org ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.nhsd-ers-file-name</Name>
                     <Condition>(request.header.nhsd-ers-file-name ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Swap.nhsd-ers-referral-id</Name>
                     <Condition>(request.header.nhsd-ers-referral-id ~~ ".+")</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.Remove.x-request-id-header</Name>
                 </Step><Step>
                     <Name>AssignMessage.Set.x-ers-authentication-assurance-level-header</Name>
@@ -204,17 +271,17 @@
                     <Name>AssignMessage.Set.x-ers-amr-header</Name>
                 </Step><Step>
                     <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Condition>(request.header.x-ers-id-assurance-level LesserThan 3)</Condition>
                     <Name>RaiseFault.401InsufficientIal</Name>
                 </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %}<Step>
                     <Name>AssignMessage.SetEchoTarget</Name>
                     <Condition>(request.header.echo)</Condition>
-                </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
+                </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %}<Step>
                     <Name>AssignMessage.SetTruststore</Name>
                     <!--Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
                     <Condition>(isEchoCall != true )</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.SetEchoTruststore</Name>
                     <Condition>(isEchoCall == true)</Condition>
                 </Step> {% endif %} <Step>
diff --git a/specification/components/r4/schemas/endpoints/a042-retrieve-attachment.yaml b/specification/components/r4/schemas/endpoints/a042-retrieve-attachment.yaml
index 41bc67c0d..96200ee7d 100644
--- a/specification/components/r4/schemas/endpoints/a042-retrieve-attachment.yaml
+++ b/specification/components/r4/schemas/endpoints/a042-retrieve-attachment.yaml
@@ -105,4 +105,4 @@ responses:
   '500':
     $ref: '../responses/InternalServerError.yaml'
   '503':
-    $ref: '../responses/ServiceUnavailable.yaml'
\ No newline at end of file
+    $ref: '../responses/ServiceUnavailable.yaml'
diff --git a/tests/conftest.py b/tests/conftest.py
index 97de92084..ceceb5d0a 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -2,6 +2,7 @@
 import pytest
 import pytest_asyncio
 import warnings
+import json
 
 from uuid import uuid4
 from typing import Collection, Callable, Generator, Dict
@@ -79,6 +80,12 @@ def asid(is_mocked_environment):
     )
 
 
+@pytest.fixture(scope="session")
+def apim_app_flow_vars(allowListodsCode=None):
+    if allowListodsCode is not None:
+        return {"ers": {"allowListodsCode": allowListodsCode}}
+
+
 @pytest.fixture(scope="session")
 def referring_clinician(is_mocked_environment):
     return Actor.RC_DEV if is_mocked_environment else Actor.RC
@@ -127,7 +134,8 @@ async def user_restricted_product(client, make_product):
         [
             "urn:nhsd:apim:user-nhs-id:aal3:e-referrals-service-api",
             "urn:nhsd:apim:user-nhs-id:aal2:e-referrals-service-api",
-        ]
+        ],
+        additional_attributes=[{"name": "EUOAllowlistRequired", "value": "false"}],
     )
 
     print(f"product created: {productName}")
@@ -240,7 +248,7 @@ def _update_function(attr, value):
 
 @pytest.fixture
 def make_product(client, environment, service_name):
-    async def _make_product(product_scopes):
+    async def _make_product(product_scopes, additional_attributes=None):
         product = ApiProductsAPI(client=client)
 
         proxies = [f"identity-service-mock-{environment}"]
@@ -253,6 +261,10 @@ async def _make_product(product_scopes):
             {"name": "access", "value": "public"},
             {"name": "ratelimit", "value": "10ps"},
         ]
+
+        if additional_attributes is not None:
+            attributes.extend(additional_attributes)
+
         body = {
             "proxies": proxies,
             "scopes": product_scopes,
@@ -272,9 +284,18 @@ async def _make_product(product_scopes):
 
 
 @pytest_asyncio.fixture
-async def user_restricted_app(client, make_app, user_restricted_product, asid):
+async def user_restricted_app(
+    client, make_app, user_restricted_product, asid, apim_app_flow_vars
+):
     # Setup
-    app = await make_app(user_restricted_product, {"asid": asid})
+    if apim_app_flow_vars is not None:
+        odslist = json.dumps({"ers": {"allowListodsCode": apim_app_flow_vars}})
+        app = await make_app(
+            user_restricted_product,
+            {"asid": asid, "apim-app-flow-vars": odslist},
+        )
+    else:
+        app = await make_app(user_restricted_product, {"asid": asid})
 
     appName = app["name"]
     print(f"App created: {appName}")
@@ -297,6 +318,7 @@ async def _make_app(product, custom_attributes={}):
             {"name": key, "value": value} for key, value in custom_attributes.items()
         ]
         attributes.append({"name": "DisplayName", "value": app_name})
+        print(f"App attributes: {attributes}")
 
         body = {
             "apiProducts": [product],
diff --git a/tests/integration/test_headers.py b/tests/integration/test_headers.py
index c379500ee..80b654208 100644
--- a/tests/integration/test_headers.py
+++ b/tests/integration/test_headers.py
@@ -32,7 +32,11 @@ class TestHeaders:
     @pytest.mark.asyncio
     @pytest.mark.parametrize("user", [Actor.RC, Actor.AAL2_USER])
     async def test_headers_on_echo_target(
-        self, authenticate_user, service_url, user: Actor, asid
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
     ):
         access_code = await authenticate_user(user)
 
diff --git a/tests/integration/test_user_restricted.py b/tests/integration/test_user_restricted.py
new file mode 100644
index 000000000..1b21b401b
--- /dev/null
+++ b/tests/integration/test_user_restricted.py
@@ -0,0 +1,287 @@
+import pytest
+import requests
+from requests import Response
+from tests.data import RenamedHeader, Actor, UserAuthenticationLevel
+from tests.asserts import assert_ok_response
+
+_HEADER_AUTHORIZATION = "Authorization"
+_HEADER_ECHO = "echo"  # enable echo target
+_HEADER_BASE_URL = "x-ers-network-baseurl"
+_HEADER_USER_ID = "x-ers-user-id"
+_HEADER_REQUEST_ID = "x-request-id"
+_HEADER_ASID = "xapi_asid"
+_HEADER_ACCESS_MODE = "x-ers-access-mode"
+_HEADER_AAL = "x-ers-authentication-assurance-level"
+_HEADER_AMR = "x-ers-amr"
+_HEADER_ID_ASSURANCE_LEVEL = "x-ers-id-assurance-level"
+
+_EXPECTED_REFERRAL_ID = "000000040032"
+_EXPECTED_CORRELATION_ID = "123123-123123-123123-123123"
+_EXPECTED_FILENAME = "mysuperfilename.txt"
+_EXPECTED_COMMA_FILENAME = "mysuper,filename.txt"
+_EXPECTED_COMM_RULE_ORG = "R100"
+_EXPECTED_OBO_USER_ID = "0123456789000"
+_EXPECTED_ACCESS_MODE = "user-restricted"
+
+_SPECIALTY_REF_DATA_URL = "/FHIR/STU3/CodeSystem/SPECIALTY"
+_SEARCH_HEALTHCARE_SERVICE_R4_URL = "/FHIR/R4/HealthcareService"
+
+
+@pytest.mark.integration_test
+class TestUserRestricted:
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user, apim_app_flow_vars ",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
+    )
+    async def test_user_restricted_valid_ods_code(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: user.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+
+        # Verify the status
+        assert (
+            response.status_code == 200
+        ), "Expected a 200 when accessing the api but got " + str(response.status_code)
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, ["invalid_code"]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, ["invalid_code"]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, ["invalid_code"]),
+        ],
+    )
+    async def test_user_restricted_invalid_ods_code(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: user.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
+        assert (
+            response.status_code == 403
+        ), "Expected a 403 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "forbidden" if is_fhir_4 else "forbidden"
+        assert issue["diagnostics"] == (
+            "Unauthorised ODS code provided in NHSD-End-User-Organisation-ODS header"
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "NO_ACCESS"
+        )
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
+    )
+    async def test_user_restricted_missing_ods_header(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
+        assert (
+            response.status_code == 400
+        ), "Expected a 400 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "required" if is_fhir_4 else "required"
+        assert issue["diagnostics"] == (
+            "Missing or Empty NHSD-End-User-Organisation-ODS header."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "MISSING_HEADER" if is_fhir_4 else "MISSING_HEADER"
+        )
+
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "endpoint_url, is_fhir_4, user ,apim_app_flow_vars",
+        [
+            ("", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/R4/", True, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+            ("/FHIR/STU3/", False, Actor.RC_DEV, [Actor.RC_DEV.org_code]),
+        ],
+    )
+    async def test_user_restricted_missing_ods_code(
+        self,
+        authenticate_user,
+        service_url,
+        user: Actor,
+        asid,
+        endpoint_url,
+        is_fhir_4,
+        apim_app_flow_vars,
+    ):
+        access_code = await authenticate_user(user)
+
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: user.business_function,
+            RenamedHeader.ODS_CODE.original: "",
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(
+            f"{service_url}{endpoint_url}", headers=client_request_headers
+        )
+        # Verify the status
+        assert (
+            response.status_code == 400
+        ), "Expected a 400 when accessing the api but got " + str(response.status_code)
+        # Verify the OperationOutcome payload
+        response_data = response.json()
+        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["meta"]["lastUpdated"] is not None
+        assert len(response_data["meta"]["profile"]) == 1
+        assert response_data["meta"]["profile"][0] == (
+            "https://www.hl7.org/fhir/R4/operationoutcome.html"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/StructureDefinition/eRS-OperationOutcome-1"
+        )
+        assert len(response_data["issue"]) == 1
+        issue = response_data["issue"][0]
+        assert issue["severity"] == "error"
+        assert issue["code"] == "required" if is_fhir_4 else "required"
+        assert issue["diagnostics"] == (
+            "Missing or Empty NHSD-End-User-Organisation-ODS header."
+        )
+        assert len(issue["details"]["coding"]) == 1
+        issue_details = issue["details"]["coding"][0]
+        assert (
+            issue_details["system"]
+            == "https://fhir.nhs.uk/CodeSystem/NHSD-API-ErrorOrWarningCode"
+            if is_fhir_4
+            else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
+        )
+        assert (
+            issue_details["code"] == "MISSING_HEADER" if is_fhir_4 else "MISSING_HEADER"
+        )

From a52030bfb6a412740fe421db91a45db360e20e8e Mon Sep 17 00:00:00 2001
From: Jack Wainwright <jack.wainwright@bjss.com>
Date: Mon, 1 Sep 2025 15:48:57 +0100
Subject: [PATCH 2/6] [ERSSUP-89806]-[MW]-[Updated app-restricted business
 function validation to use new business functions]-[JW]

---
 proxies/live/apiproxy/targets/ers-target.xml | 25 ++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
index e6bfb2b1e..b839d7141 100644
--- a/proxies/live/apiproxy/targets/ers-target.xml
+++ b/proxies/live/apiproxy/targets/ers-target.xml
@@ -181,6 +181,23 @@
             </Step>
             <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
         </FaultRule>
+        <FaultRule name="invalid_business_function">
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = false)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.SetOperationOutcomeInvalidBusinessFunction</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
+        </FaultRule>
     </FaultRules>
     <PreFlow>
         <Request>
@@ -241,7 +258,7 @@
             <Request><!--AUTHORISED_APPLICATION business functions are not supported in user restricted flow --><Step>
                     <Name>RaiseFault.InvalidBusinessFunction</Name>
                     <Condition>(request.header.nhsd-ers-business-function == "PROVIDER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "REFERRER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
                 </Step><Step>
                     <Name>AssignMessage.Set.x-ers-user-id-header-user-restricted</Name>
@@ -271,17 +288,17 @@
                     <Name>AssignMessage.Set.x-ers-amr-header</Name>
                 </Step><Step>
                     <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
-                </Step> <Step>
+                </Step><Step>
                     <Condition>(request.header.x-ers-id-assurance-level LesserThan 3)</Condition>
                     <Name>RaiseFault.401InsufficientIal</Name>
                 </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %}<Step>
                     <Name>AssignMessage.SetEchoTarget</Name>
                     <Condition>(request.header.echo)</Condition>
-                </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %}<Step>
+                </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
                     <Name>AssignMessage.SetTruststore</Name>
                     <!--Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
                     <Condition>(isEchoCall != true )</Condition>
-                </Step> <Step>
+                </Step><Step>
                     <Name>AssignMessage.SetEchoTruststore</Name>
                     <Condition>(isEchoCall == true)</Condition>
                 </Step> {% endif %} <Step>

From 6944e42928e8ebfff07ce3ecf359dbb0f83b72dc Mon Sep 17 00:00:00 2001
From: Patrick Cando <patrick.cando1@nhs.net>
Date: Wed, 24 Sep 2025 08:31:05 +0000
Subject: [PATCH 3/6] Update resourceType

---
 tests/integration/test_user_restricted.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/tests/integration/test_user_restricted.py b/tests/integration/test_user_restricted.py
index 1b21b401b..299245490 100644
--- a/tests/integration/test_user_restricted.py
+++ b/tests/integration/test_user_restricted.py
@@ -118,7 +118,7 @@ async def test_user_restricted_invalid_ods_code(
         ), "Expected a 403 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["resourceType"] == "CodeSystem"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (
@@ -141,9 +141,7 @@ async def test_user_restricted_invalid_ods_code(
             if is_fhir_4
             else "https://fhir.nhs.uk/STU3/CodeSystem/eRS-APIErrorCode-1"
         )
-        assert (
-            issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "NO_ACCESS"
-        )
+        assert issue_details["code"] == "ACCESS_DENIED" if is_fhir_4 else "NO_ACCESS"
 
     @pytest.mark.asyncio
     @pytest.mark.parametrize(
@@ -188,7 +186,7 @@ async def test_user_restricted_missing_ods_header(
         ), "Expected a 400 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["resourceType"] == "CodeSystem"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (
@@ -259,7 +257,7 @@ async def test_user_restricted_missing_ods_code(
         ), "Expected a 400 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "OperationOutcome"
+        assert response_data["resourceType"] == "CodeSystem"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (

From 7edac83e6a87ecd4931175be7c55a7bee16caccc Mon Sep 17 00:00:00 2001
From: Patrick Cando <patrick.cando1@nhs.net>
Date: Wed, 24 Sep 2025 10:36:37 +0100
Subject: [PATCH 4/6] restore

---
 proxies/live/apiproxy/targets/ers-target.xml | 462 ++++++++++++++++---
 tests/integration/test_user_restricted.py    |   6 +-
 2 files changed, 406 insertions(+), 62 deletions(-)

diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
index b839d7141..fd822e325 100644
--- a/proxies/live/apiproxy/targets/ers-target.xml
+++ b/proxies/live/apiproxy/targets/ers-target.xml
@@ -29,17 +29,373 @@
             </Step>
             <Step>
                 <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                 <Condition>aalError == true</Condition>
             </Step>
             <Step>
                 <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
-                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                 <Condition>aalError == true</Condition>
             </Step>
+            <TargetEndpoint name="e-referrals-service-api-target">
+                <FaultRules>
+                    <FaultRule name="access_token_error_fhir_r4">
+                        <Step>
+                            <Name>ExtractVariables.OAuthErrorFaultString</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetInsufficientAALVariables</Name>
+                            <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = true)</Condition>
+                    </FaultRule>
+                    <FaultRule name="access_token_error">
+                        <Step>
+                            <Name>ExtractVariables.OAuthErrorFaultString</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetInsufficientAALVariables</Name>
+                            <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
+                            <Condition>aalError == true</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
+                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
+                            <Condition>aalError == true</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
+                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
+                            <Condition>aalError != true</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                            <Condition>aalError = true</Condition>
+                        </Step>
+                        <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = false)</Condition>
+                    </FaultRule>
+                    <FaultRule name="spike_arrest_fault_fhir_r4">
+                        <Step>
+                            <Name>AssignMessage.RatelimitOperationOutcomeResponse</Name>
+                        </Step>
+                        <Condition>(ratelimit.SpikeArrestPerApp.failed = true) and (isFhirR4Path = true)</Condition>
+                    </FaultRule>
+                    <FaultRule name="quota_fault_fhir_r4">
+                        <Step>
+                            <Name>AssignMessage.RatelimitOperationOutcomeResponse</Name>
+                        </Step>
+                        <Condition>(ratelimit.QuotaPerApp.failed = true) and (isFhirR4Path = true)</Condition>
+                    </FaultRule>
+                    <FaultRule name="spike_arrest_fault">
+                        <Step>
+                            <Name>AssignMessage.SpikeArrestErrorResponse</Name>
+                        </Step>
+                        <Condition>(ratelimit.SpikeArrestPerApp.failed = true) and (isFhirR4Path = false)</Condition>
+                    </FaultRule>
+                    <FaultRule name="quota_fault">
+                        <Step>
+                            <Name>AssignMessage.QuotaErrorResponse</Name>
+                        </Step>
+                        <Condition>(ratelimit.QuotaPerApp.failed = true) and (isFhirR4Path = false)</Condition>
+                    </FaultRule>
+                    <FaultRule name="insufficient_ial">
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeIssueIal</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(raisefault.RaiseFault.401InsufficientIal.failed = true)</Condition>
+                    </FaultRule>
+                    <FaultRule name="missing_asid">
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetOperationOutcomeMissingAsid</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(raisefault.RaiseFault.MissingAsid.failed = true)</Condition>
+                    </FaultRule>
+                    <FaultRule name="ods_header_not_in_partner_list_error">
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 403)</Condition>
+                    </FaultRule>
+                    <FaultRule name="ods_header_missing_error">
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingR4</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 400)</Condition>
+                    </FaultRule>
+                    <FaultRule name="euo_allowlist_internal_error">
+                        <Step>
+                            <Condition>(isFhirR4Path = false)</Condition>
+                            <Name>AssignMessage.InternalServerError</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.SetOperationOutcomeServiceError</Name>
+                        </Step>
+                        <Step>
+                            <Condition>(isFhirR4Path = true)</Condition>
+                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+                        </Step>
+                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 500)</Condition>
+                    </FaultRule>
+                </FaultRules>
+                <PreFlow>
+                    <Request>
+                        <Step>
+                            <Name>javascript.SetCurrentTimestamp</Name>
+                        </Step>
+                        <Step>
+                            <Name>javascript.IsFhirR4Path</Name>
+                        </Step>
+                        <Step>
+                            <Name>OauthV2.VerifyAccessToken</Name>
+                        </Step>
+                        <!--  https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without  -->
+                        <Step>
+                            <Name>FlowCallout.ExtendedAttributes</Name>
+                            <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
+                        </Step>
+                        <Step>
+                            <Name>FlowCallout.EUOAllowlistVerify</Name>
+                            <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
+                        </Step>
+                        <Step>
+                            <Name>RaiseFault.MissingAsid</Name>
+                            <Condition>(app.asid == null) Or (app.asid == "")</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.PopulateAsidFromApp</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.SetAsidHeader</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.AddBaseUrlHeader</Name>
+                        </Step>
+                        <Step>
+                            <Name>FlowCallout.ApplyRateLimiting</Name>
+                        </Step>
+                    </Request>
+                    <Response>
+                        <!--  Any steps that apply to response might have to be duplicated in DefaultFaultRule section so that they also apply
+                               to response on non success status code e.g. 200/201, Take care when updating these steps -->
+                        <Step>
+                            <Name>AssignMessage.SetFlagCustomHeaderXRequestId</Name>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.Swap.TransactionID</Name>
+                            <Condition>(response.header.x_ers_transaction_id ~~ ".+")</Condition>
+                        </Step>
+                        <Step>
+                            <Name>AssignMessage.Remove.nhsd-correlation-id-header</Name>
+                            <Condition>(response.header.nhsd-correlation-id ~~ ".+")</Condition>
+                        </Step>
+                    </Response>
+                </PreFlow>
+                <Flows>
+                    <Flow name="user-restricted-flow">
+                        <Condition>(accesstoken.auth_type == "user")</Condition>
+                        <Request><!-- AUTHORISED_APPLICATION business function is not supported in user restricted flow  --><Step>
+                                <Name>RaiseFault.403Forbidden</Name>
+                                <Condition>(request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-user-id-header-user-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.NHSD-eRS-On-Behalf-Of-User-ID</Name>
+                                <Condition>(request.header.NHSD-eRS-On-Behalf-Of-User-ID ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.nhsd-end-user-organisation-ods</Name>
+                                <Condition>(request.header.nhsd-end-user-organisation-ods ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.nhsd-ers-business-function</Name>
+                                <Condition>(request.header.nhsd-ers-business-function ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.nhsd-ers-comm-rule-org</Name>
+                                <Condition>(request.header.nhsd-ers-comm-rule-org ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.nhsd-ers-file-name</Name>
+                                <Condition>(request.header.nhsd-ers-file-name ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Swap.nhsd-ers-referral-id</Name>
+                                <Condition>(request.header.nhsd-ers-referral-id ~~ ".+")</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Remove.x-request-id-header</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-authentication-assurance-level-header</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-amr-header</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
+                            </Step> <Step>
+                                <Condition>(request.header.x-ers-id-assurance-level LesserThan 3)</Condition>
+                                <Name>RaiseFault.401InsufficientIal</Name>
+                            </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
+                                <Name>AssignMessage.SetEchoTarget</Name>
+                                <Condition>(request.header.echo)</Condition>
+                            </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
+                                <Name>AssignMessage.SetTruststore</Name>
+                                <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
+                                <Condition>(isEchoCall != true )</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.SetEchoTruststore</Name>
+                                <Condition>(isEchoCall == true)</Condition>
+                            </Step> {% endif %} <Step>
+                                <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
+                                        The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
+                                <Name>AssignMessage.Swap.CorrelationHeader</Name>
+                            </Step></Request>
+                        <Response/>
+                    </Flow>
+                    <Flow name="app-restricted-flow">
+                        <Condition>(accesstoken.auth_type == "app")</Condition>
+                        <Request><!--  reject if headers that are overriden as part of app restricted call are provided --><Step>
+                                <Name>RaiseFault.403Forbidden</Name>
+                                <Condition>(request.header.x-ers-ods-code)</Condition>
+                            </Step> <Step>
+                                <Name>RaiseFault.403Forbidden</Name>
+                                <Condition>(request.header.x-ers-business-function)</Condition>
+                            </Step> <Step>
+                                <Name>RaiseFault.403Forbidden</Name>
+                                <Condition>(request.header.x-ers-user-id)</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-access-mode-header-app-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.nhsd-ers-ods-code-header-app-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.nhsd-ers-business-function-header-app-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Set.x-ers-user-id-header-app-restricted</Name>
+                            </Step> <Step>
+                                <Name>AssignMessage.Remove.x-request-id-header</Name>
+                            </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
+                                <Name>AssignMessage.SetEchoTarget</Name>
+                                <Condition>(request.header.echo)</Condition>
+                            </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
+                                <Name>AssignMessage.SetTruststore</Name>
+                                <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
+                                <Condition>(isEchoCall != true )</Condition>
+                            </Step> <Step>
+                                <Name>AssignMessage.SetEchoTruststore</Name>
+                                <Condition>(isEchoCall == true)</Condition>
+                            </Step> {% endif %} <Step>
+                                <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
+                                        The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
+                                <Name>AssignMessage.Swap.CorrelationHeader</Name>
+                            </Step></Request>
+                        <Response/>
+                    </Flow>
+                    <!--  Something went wrong as one of the above flows should have triggered, this flow should never trigger in normal operation -->
+                    <Flow name="undefined-flow">
+                        <Request>
+                            <Step>
+                                <Name>RaiseFault.403Forbidden</Name>
+                            </Step>
+                        </Request>
+                        <Response/>
+                    </Flow>
+                </Flows>
+                <HTTPTargetConnection>
+                    <SSLInfo>{% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <TrustStore>{truststore}</TrustStore> {% endif %} <Enabled>true</Enabled></SSLInfo>
+                    <LoadBalancer>
+                        <Server name="{{ ERS_TARGET_SERVER | default('e-referrals-service-api') }}"/>
+                    </LoadBalancer>
+                    <Path>/ers-api</Path>
+                    <Properties>
+                        <Property name="supports.http10">true</Property>
+                        <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
+                        <Property name="retain.queryparams">apikey</Property>
+                        <Property name="io.timeout.millis">180000</Property>
+                    </Properties>
+                </HTTPTargetConnection>
+                <DefaultFaultRule>
+                    <Step>
+                        <Name>AssignMessage.SetFlagCustomHeaderXRequestId</Name>
+                    </Step>
+                    <Step>
+                        <Name>AssignMessage.Swap.TransactionID</Name>
+                        <Condition>(response.header.x_ers_transaction_id ~~ ".+")</Condition>
+                    </Step>
+                    <Step>
+                        <Name>AssignMessage.Remove.nhsd-correlation-id-header</Name>
+                        <Condition>(response.header.nhsd-correlation-id ~~ ".+")</Condition>
+                    </Step>
+                </DefaultFaultRule>
+            </TargetEndpoint>
             <Step>
                 <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
-                <!--Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                 <Condition>aalError != true</Condition>
             </Step>
             <Step>
@@ -132,6 +488,18 @@
                 <Condition>(isFhirR4Path = false)</Condition>
                 <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4</Name>
             </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
+            </Step>
+            <Step>
+                <Condition>(isFhirR4Path = true)</Condition>
+                <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4</Name>
+            </Step>
+            <Step>
+                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
+            </Step>
+            <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 403)</Condition>
         </FaultRule>
         <FaultRule name="ods_header_missing_error">
             <Step>
@@ -172,31 +540,7 @@
                 <Condition>(isFhirR4Path = true)</Condition>
                 <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
             </Step>
-            <Step>
-                <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 500)</Condition>
-                <Name>AssignMessage.SetOperationOutcomeInvalidBusinessFunction</Name>
-            </Step>
-            <Step>
-                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-            </Step>
-            <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
-        </FaultRule>
-        <FaultRule name="invalid_business_function">
-            <Step>
-                <Condition>(isFhirR4Path = true)</Condition>
-                <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-            </Step>
-            <Step>
-                <Condition>(isFhirR4Path = false)</Condition>
-                <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-            </Step>
-            <Step>
-                <Name>AssignMessage.SetOperationOutcomeInvalidBusinessFunction</Name>
-            </Step>
-            <Step>
-                <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-            </Step>
-            <Condition>(raisefault.RaiseFault.InvalidBusinessFunction.failed = true)</Condition>
+            <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 500)</Condition>
         </FaultRule>
     </FaultRules>
     <PreFlow>
@@ -210,7 +554,7 @@
             <Step>
                 <Name>OauthV2.VerifyAccessToken</Name>
             </Step>
-            <!-- https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without -->
+            <!--  https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without  -->
             <Step>
                 <Name>FlowCallout.ExtendedAttributes</Name>
                 <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
@@ -237,8 +581,8 @@
             </Step>
         </Request>
         <Response>
-            <!-- Any steps that apply to response might have to be duplicated in DefaultFaultRule section so that they also apply
-           to response on non success status code e.g. 200/201, Take care when updating these steps-->
+            <!--  Any steps that apply to response might have to be duplicated in DefaultFaultRule section so that they also apply
+                       to response on non success status code e.g. 200/201, Take care when updating these steps -->
             <Step>
                 <Name>AssignMessage.SetFlagCustomHeaderXRequestId</Name>
             </Step>
@@ -255,62 +599,62 @@
     <Flows>
         <Flow name="user-restricted-flow">
             <Condition>(accesstoken.auth_type == "user")</Condition>
-            <Request><!--AUTHORISED_APPLICATION business functions are not supported in user restricted flow --><Step>
-                    <Name>RaiseFault.InvalidBusinessFunction</Name>
-                    <Condition>(request.header.nhsd-ers-business-function == "PROVIDER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "REFERRER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
+            <Request><!-- AUTHORISED_APPLICATION business function is not supported in user restricted flow  --><Step>
+                    <Name>RaiseFault.403Forbidden</Name>
+                    <Condition>(request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
                 </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-user-id-header-user-restricted</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.NHSD-eRS-On-Behalf-Of-User-ID</Name>
                     <Condition>(request.header.NHSD-eRS-On-Behalf-Of-User-ID ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.nhsd-end-user-organisation-ods</Name>
                     <Condition>(request.header.nhsd-end-user-organisation-ods ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.nhsd-ers-business-function</Name>
                     <Condition>(request.header.nhsd-ers-business-function ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.nhsd-ers-comm-rule-org</Name>
                     <Condition>(request.header.nhsd-ers-comm-rule-org ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.nhsd-ers-file-name</Name>
                     <Condition>(request.header.nhsd-ers-file-name ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Swap.nhsd-ers-referral-id</Name>
                     <Condition>(request.header.nhsd-ers-referral-id ~~ ".+")</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Remove.x-request-id-header</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-authentication-assurance-level-header</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-amr-header</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Condition>(request.header.x-ers-id-assurance-level LesserThan 3)</Condition>
                     <Name>RaiseFault.401InsufficientIal</Name>
-                </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %}<Step>
+                </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
                     <Name>AssignMessage.SetEchoTarget</Name>
                     <Condition>(request.header.echo)</Condition>
                 </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
                     <Name>AssignMessage.SetTruststore</Name>
-                    <!--Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                    <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                     <Condition>(isEchoCall != true )</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.SetEchoTruststore</Name>
                     <Condition>(isEchoCall == true)</Condition>
                 </Step> {% endif %} <Step>
-                    <!--This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
-            The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend. -->
+                    <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
+                                The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
                     <Name>AssignMessage.Swap.CorrelationHeader</Name>
                 </Step></Request>
             <Response/>
         </Flow>
         <Flow name="app-restricted-flow">
             <Condition>(accesstoken.auth_type == "app")</Condition>
-            <Request><!-- reject if headers that are overriden as part of app restricted call are provided--><Step>
+            <Request><!--  reject if headers that are overriden as part of app restricted call are provided --><Step>
                     <Name>RaiseFault.403Forbidden</Name>
                     <Condition>(request.header.x-ers-ods-code)</Condition>
                 </Step> <Step>
@@ -327,26 +671,26 @@
                     <Name>AssignMessage.Set.nhsd-ers-business-function-header-app-restricted</Name>
                 </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-user-id-header-app-restricted</Name>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.Remove.x-request-id-header</Name>
-                </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %}<Step>
+                </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
                     <Name>AssignMessage.SetEchoTarget</Name>
                     <Condition>(request.header.echo)</Condition>
                 </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
                     <Name>AssignMessage.SetTruststore</Name>
-                    <!--Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements)-->
+                    <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                     <Condition>(isEchoCall != true )</Condition>
-                </Step><Step>
+                </Step> <Step>
                     <Name>AssignMessage.SetEchoTruststore</Name>
                     <Condition>(isEchoCall == true)</Condition>
                 </Step> {% endif %} <Step>
-                    <!--This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
-            The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend. -->
+                    <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
+                                The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
                     <Name>AssignMessage.Swap.CorrelationHeader</Name>
                 </Step></Request>
             <Response/>
         </Flow>
-        <!-- Something went wrong as one of the above flows should have triggered, this flow should never trigger in normal operation-->
+        <!--  Something went wrong as one of the above flows should have triggered, this flow should never trigger in normal operation -->
         <Flow name="undefined-flow">
             <Request>
                 <Step>
diff --git a/tests/integration/test_user_restricted.py b/tests/integration/test_user_restricted.py
index 299245490..8d4af58ec 100644
--- a/tests/integration/test_user_restricted.py
+++ b/tests/integration/test_user_restricted.py
@@ -118,7 +118,7 @@ async def test_user_restricted_invalid_ods_code(
         ), "Expected a 403 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "CodeSystem"
+        assert response_data["resourceType"] == "OperationOutcome"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (
@@ -186,7 +186,7 @@ async def test_user_restricted_missing_ods_header(
         ), "Expected a 400 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "CodeSystem"
+        assert response_data["resourceType"] == "OperationOutcome"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (
@@ -257,7 +257,7 @@ async def test_user_restricted_missing_ods_code(
         ), "Expected a 400 when accessing the api but got " + str(response.status_code)
         # Verify the OperationOutcome payload
         response_data = response.json()
-        assert response_data["resourceType"] == "CodeSystem"
+        assert response_data["resourceType"] == "OperationOutcome"
         assert response_data["meta"]["lastUpdated"] is not None
         assert len(response_data["meta"]["profile"]) == 1
         assert response_data["meta"]["profile"][0] == (

From 7803c89365d3bdf9a9f2e185a03698279958ae3e Mon Sep 17 00:00:00 2001
From: Patrick Cando <patrick.cando1@nhs.net>
Date: Wed, 24 Sep 2025 12:12:02 +0000
Subject: [PATCH 5/6] fix

---
 proxies/live/apiproxy/targets/ers-target.xml | 356 -------------------
 1 file changed, 356 deletions(-)

diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
index fd822e325..30ef83faa 100644
--- a/proxies/live/apiproxy/targets/ers-target.xml
+++ b/proxies/live/apiproxy/targets/ers-target.xml
@@ -37,362 +37,6 @@
                 <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
                 <Condition>aalError == true</Condition>
             </Step>
-            <TargetEndpoint name="e-referrals-service-api-target">
-                <FaultRules>
-                    <FaultRule name="access_token_error_fhir_r4">
-                        <Step>
-                            <Name>ExtractVariables.OAuthErrorFaultString</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetInsufficientAALVariables</Name>
-                            <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = true)</Condition>
-                    </FaultRule>
-                    <FaultRule name="access_token_error">
-                        <Step>
-                            <Name>ExtractVariables.OAuthErrorFaultString</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetInsufficientAALVariables</Name>
-                            <Condition>faultstring ~ "*OauthV2.VerifyAccessToken.scopeSet*"</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
-                            <Condition>aalError == true</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeIssueCodeLogin</Name>
-                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
-                            <Condition>aalError == true</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
-                            <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
-                            <Condition>aalError != true</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                            <Condition>aalError = true</Condition>
-                        </Step>
-                        <Condition>(oauthV2.OauthV2.VerifyAccessToken.failed = true) and (isFhirR4Path = false)</Condition>
-                    </FaultRule>
-                    <FaultRule name="spike_arrest_fault_fhir_r4">
-                        <Step>
-                            <Name>AssignMessage.RatelimitOperationOutcomeResponse</Name>
-                        </Step>
-                        <Condition>(ratelimit.SpikeArrestPerApp.failed = true) and (isFhirR4Path = true)</Condition>
-                    </FaultRule>
-                    <FaultRule name="quota_fault_fhir_r4">
-                        <Step>
-                            <Name>AssignMessage.RatelimitOperationOutcomeResponse</Name>
-                        </Step>
-                        <Condition>(ratelimit.QuotaPerApp.failed = true) and (isFhirR4Path = true)</Condition>
-                    </FaultRule>
-                    <FaultRule name="spike_arrest_fault">
-                        <Step>
-                            <Name>AssignMessage.SpikeArrestErrorResponse</Name>
-                        </Step>
-                        <Condition>(ratelimit.SpikeArrestPerApp.failed = true) and (isFhirR4Path = false)</Condition>
-                    </FaultRule>
-                    <FaultRule name="quota_fault">
-                        <Step>
-                            <Name>AssignMessage.QuotaErrorResponse</Name>
-                        </Step>
-                        <Condition>(ratelimit.QuotaPerApp.failed = true) and (isFhirR4Path = false)</Condition>
-                    </FaultRule>
-                    <FaultRule name="insufficient_ial">
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeIssueIal</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(raisefault.RaiseFault.401InsufficientIal.failed = true)</Condition>
-                    </FaultRule>
-                    <FaultRule name="missing_asid">
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetOperationOutcomeMissingAsid</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(raisefault.RaiseFault.MissingAsid.failed = true)</Condition>
-                    </FaultRule>
-                    <FaultRule name="ods_header_not_in_partner_list_error">
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeODSHeaderValueNotInPartnerListR4</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 403)</Condition>
-                    </FaultRule>
-                    <FaultRule name="ods_header_missing_error">
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingPreR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeODSHeaderMissingR4</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 400)</Condition>
-                    </FaultRule>
-                    <FaultRule name="euo_allowlist_internal_error">
-                        <Step>
-                            <Condition>(isFhirR4Path = false)</Condition>
-                            <Name>AssignMessage.InternalServerError</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeVariablesR4</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.SetOperationOutcomeServiceError</Name>
-                        </Step>
-                        <Step>
-                            <Condition>(isFhirR4Path = true)</Condition>
-                            <Name>AssignMessage.OperationOutcomeErrorResponse</Name>
-                        </Step>
-                        <Condition>(raisefault.RaiseFault.CheckAllowlistFailed.failed = true) and (validation.statusCode = 500)</Condition>
-                    </FaultRule>
-                </FaultRules>
-                <PreFlow>
-                    <Request>
-                        <Step>
-                            <Name>javascript.SetCurrentTimestamp</Name>
-                        </Step>
-                        <Step>
-                            <Name>javascript.IsFhirR4Path</Name>
-                        </Step>
-                        <Step>
-                            <Name>OauthV2.VerifyAccessToken</Name>
-                        </Step>
-                        <!--  https://nhsd-jira.digital.nhs.uk/browse/ERSSUP-86126 Single ASID Per Connecting Party. Only for user-restricted, excludes Practitioner Role endpoint which should be accessible without  -->
-                        <Step>
-                            <Name>FlowCallout.ExtendedAttributes</Name>
-                            <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
-                        </Step>
-                        <Step>
-                            <Name>FlowCallout.EUOAllowlistVerify</Name>
-                            <Condition>(accesstoken.auth_type == "user") and (proxy.pathsuffix != "/FHIR/R4/PractitionerRole")</Condition>
-                        </Step>
-                        <Step>
-                            <Name>RaiseFault.MissingAsid</Name>
-                            <Condition>(app.asid == null) Or (app.asid == "")</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.PopulateAsidFromApp</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.SetAsidHeader</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.AddBaseUrlHeader</Name>
-                        </Step>
-                        <Step>
-                            <Name>FlowCallout.ApplyRateLimiting</Name>
-                        </Step>
-                    </Request>
-                    <Response>
-                        <!--  Any steps that apply to response might have to be duplicated in DefaultFaultRule section so that they also apply
-                               to response on non success status code e.g. 200/201, Take care when updating these steps -->
-                        <Step>
-                            <Name>AssignMessage.SetFlagCustomHeaderXRequestId</Name>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.Swap.TransactionID</Name>
-                            <Condition>(response.header.x_ers_transaction_id ~~ ".+")</Condition>
-                        </Step>
-                        <Step>
-                            <Name>AssignMessage.Remove.nhsd-correlation-id-header</Name>
-                            <Condition>(response.header.nhsd-correlation-id ~~ ".+")</Condition>
-                        </Step>
-                    </Response>
-                </PreFlow>
-                <Flows>
-                    <Flow name="user-restricted-flow">
-                        <Condition>(accesstoken.auth_type == "user")</Condition>
-                        <Request><!-- AUTHORISED_APPLICATION business function is not supported in user restricted flow  --><Step>
-                                <Name>RaiseFault.403Forbidden</Name>
-                                <Condition>(request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-user-id-header-user-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.NHSD-eRS-On-Behalf-Of-User-ID</Name>
-                                <Condition>(request.header.NHSD-eRS-On-Behalf-Of-User-ID ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.nhsd-end-user-organisation-ods</Name>
-                                <Condition>(request.header.nhsd-end-user-organisation-ods ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.nhsd-ers-business-function</Name>
-                                <Condition>(request.header.nhsd-ers-business-function ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.nhsd-ers-comm-rule-org</Name>
-                                <Condition>(request.header.nhsd-ers-comm-rule-org ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.nhsd-ers-file-name</Name>
-                                <Condition>(request.header.nhsd-ers-file-name ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Swap.nhsd-ers-referral-id</Name>
-                                <Condition>(request.header.nhsd-ers-referral-id ~~ ".+")</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Remove.x-request-id-header</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-authentication-assurance-level-header</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-amr-header</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-id-assurance-level-header</Name>
-                            </Step> <Step>
-                                <Condition>(request.header.x-ers-id-assurance-level LesserThan 3)</Condition>
-                                <Name>RaiseFault.401InsufficientIal</Name>
-                            </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
-                                <Name>AssignMessage.SetEchoTarget</Name>
-                                <Condition>(request.header.echo)</Condition>
-                            </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
-                                <Name>AssignMessage.SetTruststore</Name>
-                                <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
-                                <Condition>(isEchoCall != true )</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.SetEchoTruststore</Name>
-                                <Condition>(isEchoCall == true)</Condition>
-                            </Step> {% endif %} <Step>
-                                <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
-                                        The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
-                                <Name>AssignMessage.Swap.CorrelationHeader</Name>
-                            </Step></Request>
-                        <Response/>
-                    </Flow>
-                    <Flow name="app-restricted-flow">
-                        <Condition>(accesstoken.auth_type == "app")</Condition>
-                        <Request><!--  reject if headers that are overriden as part of app restricted call are provided --><Step>
-                                <Name>RaiseFault.403Forbidden</Name>
-                                <Condition>(request.header.x-ers-ods-code)</Condition>
-                            </Step> <Step>
-                                <Name>RaiseFault.403Forbidden</Name>
-                                <Condition>(request.header.x-ers-business-function)</Condition>
-                            </Step> <Step>
-                                <Name>RaiseFault.403Forbidden</Name>
-                                <Condition>(request.header.x-ers-user-id)</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-access-mode-header-app-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.nhsd-ers-ods-code-header-app-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.nhsd-ers-business-function-header-app-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Set.x-ers-user-id-header-app-restricted</Name>
-                            </Step> <Step>
-                                <Name>AssignMessage.Remove.x-request-id-header</Name>
-                            </Step> {% if ALLOW_ECHO_TARGET | default(false) == true %} <Step>
-                                <Name>AssignMessage.SetEchoTarget</Name>
-                                <Condition>(request.header.echo)</Condition>
-                            </Step> {% endif %} {% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <Step>
-                                <Name>AssignMessage.SetTruststore</Name>
-                                <!-- Condition is implemented this way around to account for isEchoCall being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->
-                                <Condition>(isEchoCall != true )</Condition>
-                            </Step> <Step>
-                                <Name>AssignMessage.SetEchoTruststore</Name>
-                                <Condition>(isEchoCall == true)</Condition>
-                            </Step> {% endif %} <Step>
-                                <!-- This should always be the last Step - as it is just before the message is sent - so the initial request stays intact for as long as possible.
-                                        The Swapping of the Request Headers converts X-Correlation-ID to NHSD-Correlation-ID before sending to backend.  -->
-                                <Name>AssignMessage.Swap.CorrelationHeader</Name>
-                            </Step></Request>
-                        <Response/>
-                    </Flow>
-                    <!--  Something went wrong as one of the above flows should have triggered, this flow should never trigger in normal operation -->
-                    <Flow name="undefined-flow">
-                        <Request>
-                            <Step>
-                                <Name>RaiseFault.403Forbidden</Name>
-                            </Step>
-                        </Request>
-                        <Response/>
-                    </Flow>
-                </Flows>
-                <HTTPTargetConnection>
-                    <SSLInfo>{% if '--ft-' in (ERS_TARGET_SERVER | default('e-referrals-service-api')) %} <TrustStore>{truststore}</TrustStore> {% endif %} <Enabled>true</Enabled></SSLInfo>
-                    <LoadBalancer>
-                        <Server name="{{ ERS_TARGET_SERVER | default('e-referrals-service-api') }}"/>
-                    </LoadBalancer>
-                    <Path>/ers-api</Path>
-                    <Properties>
-                        <Property name="supports.http10">true</Property>
-                        <Property name="request.retain.headers">User-Agent,Referer,Accept-Language</Property>
-                        <Property name="retain.queryparams">apikey</Property>
-                        <Property name="io.timeout.millis">180000</Property>
-                    </Properties>
-                </HTTPTargetConnection>
-                <DefaultFaultRule>
-                    <Step>
-                        <Name>AssignMessage.SetFlagCustomHeaderXRequestId</Name>
-                    </Step>
-                    <Step>
-                        <Name>AssignMessage.Swap.TransactionID</Name>
-                        <Condition>(response.header.x_ers_transaction_id ~~ ".+")</Condition>
-                    </Step>
-                    <Step>
-                        <Name>AssignMessage.Remove.nhsd-correlation-id-header</Name>
-                        <Condition>(response.header.nhsd-correlation-id ~~ ".+")</Condition>
-                    </Step>
-                </DefaultFaultRule>
-            </TargetEndpoint>
             <Step>
                 <Name>AssignMessage.OAuthPolicyErrorResponse</Name>
                 <!-- Condition is implemented this way around to account for aalError being null (https://docs.apigee.com/api-platform/reference/conditions-reference#behaviorofnulloperandsinconditionalstatements) -->

From 211076133a3e8d0260bf0361e3a47fdcee725383 Mon Sep 17 00:00:00 2001
From: Patrick Cando <patrick.cando1@nhs.net>
Date: Wed, 24 Sep 2025 12:29:58 +0000
Subject: [PATCH 6/6] fix

---
 proxies/live/apiproxy/targets/ers-target.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proxies/live/apiproxy/targets/ers-target.xml b/proxies/live/apiproxy/targets/ers-target.xml
index 30ef83faa..463040ddb 100644
--- a/proxies/live/apiproxy/targets/ers-target.xml
+++ b/proxies/live/apiproxy/targets/ers-target.xml
@@ -244,8 +244,8 @@
         <Flow name="user-restricted-flow">
             <Condition>(accesstoken.auth_type == "user")</Condition>
             <Request><!-- AUTHORISED_APPLICATION business function is not supported in user restricted flow  --><Step>
-                    <Name>RaiseFault.403Forbidden</Name>
-                    <Condition>(request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
+                    <Name>RaiseFault.InvalidBusinessFunction</Name>
+                    <Condition>(request.header.nhsd-ers-business-function == "PROVIDER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "REFERRER_AUTHORISED_APPLICATION") or (request.header.nhsd-ers-business-function == "AUTHORISED_APPLICATION")</Condition>
                 </Step> <Step>
                     <Name>AssignMessage.Set.x-ers-access-mode-header-user-restricted</Name>
                 </Step> <Step>