Skip to content

BB2-4266 - C4DIC Endpoint #1428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jadudm merged 40 commits into from
Dec 9, 2025
Merged

BB2-4266 - C4DIC Endpoint #1428

jadudm merged 40 commits into from
Dec 9, 2025

Conversation

@clewellyn-nava
Copy link
Contributor

@clewellyn-nava clewellyn-nava commented Nov 25, 2025
edited by jadudm
Loading

JIRA Ticket:

What Does This PR Do?

This PR:

  1. Adds views to support /v3/DigitalInsuranceCard
  2. Adds a new permissions class (HasDigitalInsuranceCardScope) and unit tests for covering the scopes required
  3. Adds the digital insurance card to the testclient
  4. Updates many HTTPS calls to BFD from a MIME type of json or application/json to application/fhir+json, which is the correct/appropriate MIME type for those calls.

What Should Reviewers Watch For?

  • Reviewers should try and make calls against the C4DIC endpoint with the wrong scopes. For example, if you call the endpoint via Postman and only have Read or Search (but not both), then a call against this endpoint should fail.
  • We left ViewSet implementations in the codebase for discussion. After discussion, we might either move them into the primary way we handle API calls, or we might remove them. They are not executed in production, and therefore are left for discussion at this time. (If this is deemed to be a bad idea, we can pull them from this PR.)
  • We do not have tests on the testclient view, or on the call to BFD. This is because we do not have a test user we know we can code into the codebase for this purpose. Something to discuss as a team.

Validation

Unit tests pass, integration tests pass, local testclient works as expected. This shouldn't be a functional change of any existing endpoints or tests.

For testing the C4DIC endpoint, you will need to authenticate with BBUser09995 (PW09995!@), as it has the C4DIC data populated. (BBUser09003 also seems to work.)

What Security Implications Does This PR Have?

N/A

Any Migrations?

N/A

@clewellyn-nava clewellyn-nava changed the title C4DIC Endpoint BB2-4266 - C4DIC Endpoint Nov 26, 2025
@clewellyn-nava clewellyn-nava marked this pull request as ready for review November 26, 2025 18:44
clewellyn-nava and others added 11 commits November 26, 2025 15:53
@clewellyn-nava
fixes from convo with Matt
abd23c6
@clewellyn-nava
more unit test fixes to urls
b0d8ee2
@clewellyn-nava
fix init initial split
ab49edb
@JamesDemeryNava
Merge branch 'master' into clewellyn-nava/BB2-4266/C4DIC-endpoint
6b4b588
@JamesDemeryNava
Merge branch 'master' into clewellyn-nava/BB2-4266/C4DIC-endpoint
5a8e9a5
@jadudm
Adding initial permissions checking
ad0d4b0
@jadudm
Merge branch 'clewellyn-nava/BB2-4266/C4DIC-endpoint' of https://gith…
00a0be6 
…ub.com/CMSgov/bluebutton-web-server into clewellyn-nava/BB2-4266/C4DIC-endpoint
@JamesDemeryNava
Modify viewsets_base to look for read/search. Correct format=json in …
23e22dc 
…several places
@JamesDemeryNava
Fix failing unit tests
a96d9ce
@jadudm
Incremental, adding impl, tests.
70f4826
@jadudm
Merge branch 'clewellyn-nava/BB2-4266/C4DIC-endpoint' of https://gith…
85f1949 
…ub.com/CMSgov/bluebutton-web-server into clewellyn-nava/BB2-4266/C4DIC-endpoint
@JamesDemeryNava JamesDemeryNava marked this pull request as draft December 2, 2025 14:36
jadudm added 6 commits December 4, 2025 09:52
@jadudm
Incremental.
b253c0f
@jadudm
Merge branch 'clewellyn-nava/BB2-4266/C4DIC-endpoint' of https://gith…
54ed68e 
…ub.com/CMSgov/bluebutton-web-server into clewellyn-nava/BB2-4266/C4DIC-endpoint
@jadudm
Interim commit
e79c3b3 
We're discovering what is needed for "integration" or "e2e" tests, and perhaps Selenium should just do the lifting. Cleaning up a bit, and diving into the token permissions.
@jadudm
Removing TokenHasProtectedCap
9d39f82 
After much sleuthing and conversation, we decided that trying to make the ProtectedCapabilities model work for C4DIC does not make sense. Further, HasDigitalInsuranceCardScope does *almost* the same checking; the only thing it does not check is the *method*, which is not a showstopper (or even a concern, really, because we already gate that elsewhere).
@jadudm
Removed comment.
37140b2
@jadudm
Tests passing
08a36a9 
This does not have tests for `DigitalInsuranceCard`. That would imply that we have a user we can plug in for upstream tests against BFD. It is unclear if we have that user.
@jadudm jadudm marked this pull request as ready for review December 8, 2025 16:07
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
jadudm
jadudm reviewed Dec 8, 2025
View reviewed changes
@jimmyfagan jimmyfagan self-assigned this Dec 8, 2025
JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
@JamesDemeryNava
Copy link
Contributor

JamesDemeryNava commented Dec 9, 2025
edited
Loading

Looks great! Testclient looks good (did v2 as well just to be sure), Postman works as expected, and when I only have read scopes for an access token, I get a 403. All the functionality looks good, going through the diff now.

Just left a few questions/comments.

JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
apps/authorization/permissions.py
"""
def has_permission(self, request, view):

def has_permission(self, request, view) -> bool: # type: ignore
Copy link
Contributor

@JamesDemeryNava JamesDemeryNava Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need the type: ignore here?

JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
apps/capabilities/permissions.py
class TokenHasProtectedCapability(permissions.BasePermission):

def has_permission(self, request, view):
def has_permission(self, request, view) -> bool: # type: ignore
Copy link
Contributor

@JamesDemeryNava JamesDemeryNava Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment here

JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
JamesDemeryNava
JamesDemeryNava reviewed Dec 9, 2025
View reviewed changes
JamesDemeryNava
JamesDemeryNava approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@JamesDemeryNava JamesDemeryNava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me! All the functionality works from what I tested, and comments have been addressed. I'd say this could use another set of eyes before merging, but there was a ton of collaboration on this already.

@jadudm jadudm merged commit 8cee77f into master Dec 9, 2025
8 checks passed
@jadudm jadudm deleted the clewellyn-nava/BB2-4266/C4DIC-endpoint branch December 9, 2025 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jadudm jadudm jadudm left review comments

@JamesDemeryNava JamesDemeryNava JamesDemeryNava approved these changes

Assignees

@jimmyfagan jimmyfagan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@clewellyn-nava @JamesDemeryNava @jadudm @jimmyfagan