@ministryofjustice/hmpps-prison-permissions-lib 0.0.1-alpha.1

package/CHANGELOG.md

@@ -0,0 +1 @@
+# Change log

package/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Crown Copyright (Ministry of Justice)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,116 @@
+# hmpps-prison-permissions-lib
+
+[![repo standards badge](https://img.shields.io/badge/endpoint.svg?&style=flat&logo=github&url=https%3A%2F%2Foperations-engineering-reports.cloud-platform.service.justice.gov.uk%2Fapi%2Fv1%2Fcompliant_public_repositories%2Fhmpps-prison-permissions-lib)](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/hmpps-prison-permissions-lib "Link to report")
+
+A Node.js client library to centralise the process of determining user permissions for prison services and data.
+
+We welcome feedback on this library and README [here](https://moj.enterprise.slack.com/archives/C04JFG3QJE6)
+in order to improve it.
+
+## Table of Contents
+
+1. [Introduction](#-introduction)
+2. [What checks are made?](#-what-checks-are-made)
+3. [Where does the data come from?](#-where-does-the-data-come-from)
+4. [How do I implement this library?](#-how-do-i-implement-this-library)
+
+## ✨ Introduction
+
+Determining whether a user has access to a particular resource (e.g. a service, or prisoner data) consists of a
+number of checks and is not necessarily just determined by what roles a user has been assigned.
+
+This permissions library aims to share the logic centrally so that all services agree on what a user should and
+should not be able to access. It is used by the prisoner profile to determine if a user can access certain parts
+of the prisoner's profile for example.
+
+## 🔎 What checks are made?
+
+The permissions use a variety of checks, based on:
+* The user's DPS roles
+* The user's case load list (and active case load)
+* The user's key worker status at a prison
+* The prisoner's location (which prison they are at, or whether they are transferring or out of prison)
+* The prisoner's restricted patient status
+
+## 📊 Where does the data come from?
+
+We do not yet have a centralised permissions service, so this library requires some input data to determine
+the user permissions.
+
+We expect that the user's roles and case loads are already available at:
+* `res.locals.user.userRoles`,
+* `res.locals.user.caseLoads`,
+* `res.locals.user.activeCaseLoad`,
+* `res.locals.user.activeCaseLoadId`,
+
+User roles are already part of the Typescript Template project [here](https://github.com/ministryofjustice/hmpps-template-typescript/blob/main/server/middleware/setUpCurrentUser.ts#L26)
+and the retrieval of case load data is available in [hmpps-connect-dps-components](https://github.com/ministryofjustice/hmpps-connect-dps-components?tab=readme-ov-file#populating-reslocalsuser-with-the-shared-case-load-data)
+middleware.
+
+The library will make its own calls to Prison API to determine the user's key worker status, caching it in the user
+session and storing it at `res.locals.user.keyWorkerAtPrisons`.
+
+Finally the library will also retrieve data about a prisoner from [hmpps-prisoner-search](https://github.com/ministryofjustice/hmpps-prisoner-search)
+and store it at `req.middleware.prisonerData`.
+
+## ✍️ How do I implement this library?
+
+### 1. Install the library
+
+```shell
+npm install @ministryofjustice/hmpps-prison-permissions-lib
+```
+
+### 2. Create the PermissionsService
+
+The permissions service should be created just like any other of your services. It requires the following:
+
+* `prisonApiConfig`: [Prison API](https://github.com/ministryofjustice/prison-api) configuration conforming to the `hmpps-typescript-lib`'s `ApiConfig` [interface](https://github.com/ministryofjustice/hmpps-typescript-lib/blob/main/packages/rest-client/src/main/types/ApiConfig.ts)
+* `prisonerSearchConfig`: [Prisoner Search](https://github.com/ministryofjustice/hmpps-prisoner-search) configuration conforming to the `hmpps-typescript-lib`'s `ApiConfig` [interface](https://github.com/ministryofjustice/hmpps-typescript-lib/blob/main/packages/rest-client/src/main/types/ApiConfig.ts)
+* `authenticationClient`: An `AuthenticationClient` instance (see [hmpps-typescript-lib](https://github.com/ministryofjustice/hmpps-typescript-lib/blob/main/packages/auth-clients/src/main/AuthenticationClient.ts))
+  in order to make authorized client credentials calls to Prisoner Search.
+* `logger`: Bunyan logger for logging permissions events. Defaults to using `console`.
+* `telemetryClient`: Optional but recommended. Instead of just logging permissions events, this provides richer metadata to Application Insights.
+
+e.g.
+
+```typescript
+import { PermissionsService  } from '@ministryofjustice/hmpps-prison-permissions-lib'
+
+...
+
+const prisonPermissionsService = PermissionsService.create({
+  prisonApiConfig: config.apis.prisonApi,
+  prisonerSearchConfig: config.apis.prisonerSearchApi,
+  authenticationClient: new AuthenticationClient(config.apis.hmppsAuth, logger, tokenStore),
+  logger,
+  telemetryClient,
+})
+```
+
+### 3. Ensure your client has the role `ROLE_VIEW_PRISONER_DATA`...
+
+...in order to be able to successfully call Prisoner Search ([see Swagger docs](https://prisoner-search-dev.prison.service.justice.gov.uk/swagger-ui/index.html)).
+
+### 4. Add the `prisonerPermissionsGuard` middleware to your service's routes:
+
+e.g.
+
+```typescript
+import { PrisonerBasePermission, prisonerPermissionsGuard } from '@ministryofjustice/hmpps-prison-permissions-lib'
+
+...
+
+get(
+  `prisoner/{prisonerNumber}/somepage`,
+  ...
+  prisonerPermissionsGuard(permissionsService, { requestDependentOn: [PrisonerBasePermission.read] }),
+  async (req, res, next) => {
+    ...
+```
+
+### 5. Ensure you handle 403s as required
+
+If the user does not have the required permissions listed in `requestDependentOn`, then the middleware will
+throw a `PrisonerPermissionError` with a status code of 403. The Typescript Template by default logs the user
+out when encountering an error status of 403, see [here](https://github.com/ministryofjustice/hmpps-template-typescript/blob/main/server/errorHandler.ts#L9).

package/dist/index.cjs

@@ -0,0 +1,256 @@
+'use strict';
+
+var hmppsRestClient = require('@ministryofjustice/hmpps-rest-client');
+
+class PrisonApiClient extends hmppsRestClient.RestClient {
+    constructor(logger, config) {
+        super('Prison API', config, logger);
+    }
+    isUserAKeyWorker(userToken, staffId, agencyId) {
+        return this.get({ path: `/api/staff/${staffId}/${agencyId}/roles/KW` }, hmppsRestClient.asUser(userToken));
+    }
+}
+
+// eslint-disable-next-line import/prefer-default-export
+var PermissionCheckStatus;
+(function (PermissionCheckStatus) {
+    PermissionCheckStatus["NOT_PERMITTED"] = "NOT_PERMITTED";
+    PermissionCheckStatus["NOT_IN_CASELOAD"] = "NOT_IN_CASELOAD";
+    PermissionCheckStatus["RESTRICTED_PATIENT"] = "RESTRICTED_PATIENT";
+    PermissionCheckStatus["PRISONER_IS_RELEASED"] = "PRISONER_IS_RELEASED";
+    PermissionCheckStatus["PRISONER_IS_TRANSFERRING"] = "PRISONER_IS_TRANSFERRING";
+    PermissionCheckStatus["OK"] = "OK";
+})(PermissionCheckStatus || (PermissionCheckStatus = {}));
+
+class PermissionsLogger {
+    logger;
+    telemetryClient;
+    constructor(logger, telemetryClient) {
+        this.logger = logger;
+        this.telemetryClient = telemetryClient;
+    }
+    logPermissionCheckStatus(user, prisoner, permission, permissionCheckStatus) {
+        if (permissionCheckStatus === PermissionCheckStatus.OK)
+            return;
+        if (this.telemetryClient) {
+            this.telemetryClient.trackEvent({
+                name: 'prisoner-permission-check-failed',
+                properties: {
+                    username: user.username,
+                    prisonerNumber: prisoner.prisonerNumber,
+                    activeCaseLoad: user.authSource === 'nomis' && user.activeCaseLoadId,
+                    permissionChecked: permission,
+                    status: permissionCheckStatus,
+                },
+            });
+        }
+        else {
+            this.logger.info(`Prisoner permission check failed: ${permission} (${permissionCheckStatus}) for user ${user.username}`);
+        }
+    }
+}
+
+exports.PrisonerBasePermission = void 0;
+(function (PrisonerBasePermission) {
+    PrisonerBasePermission["read"] = "prisoner:base-record:read";
+})(exports.PrisonerBasePermission || (exports.PrisonerBasePermission = {}));
+function checkPrisonerAccess(permission, permissions) {
+    if (permission === exports.PrisonerBasePermission.read) {
+        return permissions[exports.PrisonerBasePermission.read];
+    }
+    // TODO: Check each domain group for the permission
+    return false;
+}
+
+const isInUsersCaseLoad = (prisonId, user) => user.authSource === 'nomis' && user.caseLoads?.some(caseLoad => caseLoad.caseLoadId === prisonId);
+const userHasRoles = (rolesToCheck, userRoles) => {
+    const normaliseRoleText = (role) => role.replace(/ROLE_/, '');
+    return rolesToCheck.map(normaliseRoleText).some(role => userRoles.map(normaliseRoleText).includes(role));
+};
+
+// eslint-disable-next-line import/prefer-default-export
+var Role;
+(function (Role) {
+    Role["GlobalSearch"] = "ROLE_GLOBAL_SEARCH";
+    Role["InactiveBookings"] = "ROLE_INACTIVE_BOOKINGS";
+    Role["PomUser"] = "ROLE_POM";
+    Role["PrisonUser"] = "ROLE_PRISON";
+})(Role || (Role = {}));
+
+/*
+ * Restricted patients can be accessed in the following circumstances:
+ * - The user has the "Inactive Bookings" role
+ * - The user is a POM user and has the supporting prison ID in their caseloads
+ */
+function restrictedPatientCheck(user, prisoner) {
+    const { userRoles } = user;
+    const pomUser = userHasRoles([Role.PomUser], userRoles);
+    const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles);
+    const userHasPrisonersSupportingPrisonInTheirCaseLoad = isInUsersCaseLoad(prisoner.supportingPrisonId, user);
+    const userIsPomUserWithSupportingPrisonInTheirCaseLoad = pomUser && userHasPrisonersSupportingPrisonInTheirCaseLoad;
+    if (userIsPomUserWithSupportingPrisonInTheirCaseLoad)
+        return PermissionCheckStatus.OK;
+    if (inactiveBookingsUser)
+        return PermissionCheckStatus.OK;
+    return PermissionCheckStatus.RESTRICTED_PATIENT;
+}
+
+/*
+ * Released prisoners can be accessed in the following circumstances:
+ * - The user has the "Inactive Bookings" role
+ */
+function releasedPrisonerCheck(user) {
+    const { userRoles } = user;
+    const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles);
+    if (inactiveBookingsUser)
+        return PermissionCheckStatus.OK;
+    return PermissionCheckStatus.PRISONER_IS_RELEASED;
+}
+
+/*
+ * Transferring prisoners can be accessed in the following circumstances:
+ * - The user has the "Global search" role
+ * - The user has the "Inactive Bookings" role
+ */
+function transferringPrisonerCheck(user) {
+    const { userRoles } = user;
+    const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles);
+    const globalSearchUser = userHasRoles([Role.GlobalSearch], userRoles);
+    if (globalSearchUser)
+        return PermissionCheckStatus.OK;
+    if (inactiveBookingsUser)
+        return PermissionCheckStatus.OK;
+    return PermissionCheckStatus.PRISONER_IS_TRANSFERRING;
+}
+
+function baseCheck(user, prisoner) {
+    const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user);
+    const globalSearchUser = userHasRoles([Role.GlobalSearch], user.userRoles);
+    if (prisoner.restrictedPatient)
+        return restrictedPatientCheck(user, prisoner);
+    if (prisoner.prisonId === 'OUT')
+        return releasedPrisonerCheck(user);
+    if (prisoner.prisonId === 'TRN')
+        return transferringPrisonerCheck(user);
+    if (inUsersCaseLoad || globalSearchUser)
+        return PermissionCheckStatus.OK;
+    return PermissionCheckStatus.NOT_IN_CASELOAD;
+}
+
+class PrisonerSearchClient extends hmppsRestClient.RestClient {
+    constructor(logger, config, authenticationClient) {
+        super('Prisoner Search', config, logger, authenticationClient);
+    }
+    getPrisonerDetails(prisonerNumber) {
+        return this.get({ path: `/prisoner/${prisonerNumber}` }, hmppsRestClient.asSystem());
+    }
+}
+
+class PermissionsService {
+    prisonApiClient;
+    prisonerSearchClient;
+    permissionsLogger;
+    static create({ prisonApiConfig, prisonerSearchConfig, authenticationClient, logger = console, telemetryClient, }) {
+        return new PermissionsService(new PrisonApiClient(logger, prisonApiConfig), new PrisonerSearchClient(logger, prisonerSearchConfig, authenticationClient), new PermissionsLogger(logger, telemetryClient));
+    }
+    constructor(prisonApiClient, prisonerSearchClient, permissionsLogger) {
+        this.prisonApiClient = prisonApiClient;
+        this.prisonerSearchClient = prisonerSearchClient;
+        this.permissionsLogger = permissionsLogger;
+    }
+    getPrisonerPermissions({ user, prisoner, requestDependentOn, }) {
+        const baseCheckStatus = baseCheck(user, prisoner);
+        const basePermission = exports.PrisonerBasePermission.read;
+        if (baseCheckStatus !== PermissionCheckStatus.OK && requestDependentOn.includes(basePermission)) {
+            this.permissionsLogger.logPermissionCheckStatus(user, prisoner, basePermission, baseCheckStatus);
+        }
+        return {
+            [exports.PrisonerBasePermission.read]: baseCheckStatus === PermissionCheckStatus.OK,
+            // TODO:
+            // domainGroups: {
+            //    ...
+            // },
+        };
+    }
+    async isUserAKeyWorkerAtPrison(token, user, prison) {
+        if (user.authSource !== 'nomis') {
+            return Promise.resolve(false);
+        }
+        return this.prisonApiClient.isUserAKeyWorker(token, user.staffId, prison);
+    }
+    getPrisonerDetails(prisonerNumber) {
+        return this.prisonerSearchClient.getPrisonerDetails(prisonerNumber);
+    }
+}
+
+class PrisonerPermissionError extends Error {
+    status = 403;
+    failedPermissionChecks;
+    constructor(message = 'Access not permitted', failedPermissionChecks = []) {
+        super(message);
+        this.name = 'NotFoundError';
+        this.failedPermissionChecks = failedPermissionChecks;
+    }
+}
+
+function prisonerPermissionsGuard(permissionsService, options) {
+    const { requestDependentOn, getPrisonerNumberFunction = getPrisonerNumberFrom } = options;
+    if (!requestDependentOn?.length)
+        throw Error('Unprotected route, must provide at least one dependent permission');
+    return async (req, res, next) => {
+        const prisonerData = await getPrisonerData(req, permissionsService, getPrisonerNumberFunction);
+        if (!prisonerData)
+            return next(Error('Could not retrieve prisoner data'));
+        await populateKeyWorkerData(req, res, prisonerData, permissionsService);
+        const prisonerPermissions = permissionsService.getPrisonerPermissions({
+            user: res.locals.user,
+            prisoner: prisonerData,
+            requestDependentOn,
+        });
+        const failedChecks = requestDependentOn.filter(permission => !checkPrisonerAccess(permission, prisonerPermissions));
+        if (failedChecks.length)
+            return next(new PrisonerPermissionError('Failed permissions checks', failedChecks));
+        req.middleware = { ...req.middleware, prisonerData };
+        res.locals.prisonerPermissions = prisonerPermissions;
+        return next();
+    };
+}
+function getPrisonerNumberFrom(req) {
+    if (req.params?.prisonerNumber) {
+        return req.params.prisonerNumber;
+    }
+    if (req.query?.prisonerNumber) {
+        return req.query.prisonerNumber;
+    }
+    return undefined;
+}
+async function getPrisonerData(req, permissionsService, getPrisonerNumberFunction) {
+    if (req.middleware?.prisonerData)
+        return req.middleware?.prisonerData;
+    const prisonerNumber = getPrisonerNumberFunction(req);
+    return prisonerNumber ? permissionsService.getPrisonerDetails(prisonerNumber) : undefined;
+}
+async function populateKeyWorkerData(req, res, prisoner, permissionsService) {
+    if (res.locals.user?.authSource !== 'nomis')
+        return;
+    const userCaseLoads = res.locals.user?.caseLoads?.map(caseLoad => caseLoad.caseLoadId);
+    if (!req.session)
+        throw new Error('User session required in order to cache key worker status');
+    const keyWorkerAtPrisons = req.session.keyWorkerAtPrisons ?? {};
+    if (prisoner.prisonId &&
+        userCaseLoads?.includes(prisoner.prisonId) &&
+        keyWorkerAtPrisons[prisoner.prisonId] === undefined) {
+        req.session.keyWorkerAtPrisons = {
+            ...keyWorkerAtPrisons,
+            [prisoner.prisonId]: await permissionsService.isUserAKeyWorkerAtPrison(res.locals.user.token, res.locals.user, prisoner.prisonId),
+        };
+    }
+    // This information is then provided to the user object on res.locals
+    res.locals.user.keyWorkerAtPrisons = req.session.keyWorkerAtPrisons || {};
+}
+
+exports.HmppsPermissionsError = PrisonerPermissionError;
+exports.PermissionsService = PermissionsService;
+exports.checkPrisonerAccess = checkPrisonerAccess;
+exports.prisonerPermissionsGuard = prisonerPermissionsGuard;
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs","sources":["../src/main/data/prisonApi/PrisonApiClient.ts","../src/main/types/permissions/PermissionCheckStatus.ts","../src/main/services/permissions/PermissionsLogger.ts","../src/main/types/permissions/prisoner/PrisonerPermissions.ts","../src/main/services/permissions/utils/PermissionUtils.ts","../src/main/types/user/Role.ts","../src/main/services/permissions/checks/baseCheck/RestrictedPatientCheck.ts","../src/main/services/permissions/checks/baseCheck/ReleasedPrisonerCheck.ts","../src/main/services/permissions/checks/baseCheck/TransferingPrisonerCheck.ts","../src/main/services/permissions/checks/baseCheck/BaseCheck.ts","../src/main/data/hmppsPrisonerSearch/PrisonerSearchClient.ts","../src/main/services/permissions/PermissionsService.ts","../src/main/types/errors/PrisonerPermissionError.ts","../src/main/middleware/PrisonerPermissionsGuard.ts"],"sourcesContent":["import { RestClient, ApiConfig, asUser } from '@ministryofjustice/hmpps-rest-client'\nimport type Logger from 'bunyan'\n\nexport default class PrisonApiClient extends RestClient {\n  constructor(logger: Logger | Console, config: ApiConfig) {\n    super('Prison API', config, logger)\n  }\n\n  isUserAKeyWorker(userToken: string, staffId: number, agencyId: string): Promise<boolean> {\n    return this.get<boolean>({ path: `/api/staff/${staffId}/${agencyId}/roles/KW` }, asUser(userToken))\n  }\n}\n","// eslint-disable-next-line import/prefer-default-export\nexport enum PermissionCheckStatus {\n  NOT_PERMITTED = 'NOT_PERMITTED', // Generic not permitted status - default\n  NOT_IN_CASELOAD = 'NOT_IN_CASELOAD',\n  RESTRICTED_PATIENT = 'RESTRICTED_PATIENT',\n  PRISONER_IS_RELEASED = 'PRISONER_IS_RELEASED',\n  PRISONER_IS_TRANSFERRING = 'PRISONER_IS_TRANSFERRING',\n  OK = 'OK',\n}\n","import { TelemetryClient } from 'applicationinsights'\nimport type Logger from 'bunyan'\nimport { PermissionCheckStatus } from '../../types/permissions/PermissionCheckStatus'\nimport { HmppsUser } from '../../types/user/HmppsUser'\nimport Prisoner from '../../data/hmppsPrisonerSearch/interfaces/Prisoner'\nimport { PrisonerPermission } from '../../types/permissions/prisoner/PrisonerPermissions'\n\nexport default class PermissionsLogger {\n  constructor(\n    private readonly logger: Logger | Console,\n    private readonly telemetryClient?: TelemetryClient,\n  ) {}\n\n  logPermissionCheckStatus(\n    user: HmppsUser,\n    prisoner: Prisoner,\n    permission: PrisonerPermission,\n    permissionCheckStatus: PermissionCheckStatus,\n  ) {\n    if (permissionCheckStatus === PermissionCheckStatus.OK) return\n\n    if (this.telemetryClient) {\n      this.telemetryClient.trackEvent({\n        name: 'prisoner-permission-check-failed',\n        properties: {\n          username: user.username,\n          prisonerNumber: prisoner.prisonerNumber,\n          activeCaseLoad: user.authSource === 'nomis' && user.activeCaseLoadId,\n          permissionChecked: permission,\n          status: permissionCheckStatus,\n        },\n      })\n    } else {\n      this.logger.info(\n        `Prisoner permission check failed: ${permission} (${permissionCheckStatus}) for user ${user.username}`,\n      )\n    }\n  }\n}\n","export enum PrisonerBasePermission {\n  read = 'prisoner:base-record:read',\n}\n\n/**\n * These permissions define what a HMPPS user can do with respect to data held about a prisoner.\n */\nexport interface PrisonerPermissions {\n  [PrisonerBasePermission.read]: boolean\n\n  // TODO:\n  // domainGroups: {\n  //   ...\n  // }\n}\n\nexport type PrisonerPermission = PrisonerBasePermission\n\nexport function checkPrisonerAccess(permission: PrisonerPermission, permissions: PrisonerPermissions): boolean {\n  if (permission === PrisonerBasePermission.read) {\n    return permissions[PrisonerBasePermission.read]\n  }\n\n  // TODO: Check each domain group for the permission\n\n  return false\n}\n","import { HmppsUser } from '../../../types/user/HmppsUser'\n\nexport const isInUsersCaseLoad = (prisonId: string | undefined, user: HmppsUser): boolean =>\n  user.authSource === 'nomis' && user.caseLoads?.some(caseLoad => caseLoad.caseLoadId === prisonId)\n\nexport const userHasRoles = (rolesToCheck: string[], userRoles: string[]): boolean => {\n  const normaliseRoleText = (role: string): string => role.replace(/ROLE_/, '')\n  return rolesToCheck.map(normaliseRoleText).some(role => userRoles.map(normaliseRoleText).includes(role))\n}\n","// eslint-disable-next-line import/prefer-default-export\nexport enum Role {\n  GlobalSearch = 'ROLE_GLOBAL_SEARCH',\n  InactiveBookings = 'ROLE_INACTIVE_BOOKINGS',\n  PomUser = 'ROLE_POM',\n  PrisonUser = 'ROLE_PRISON',\n}\n","import { HmppsUser } from '../../../../types/user/HmppsUser'\nimport Prisoner from '../../../../data/hmppsPrisonerSearch/interfaces/Prisoner'\nimport { isInUsersCaseLoad, userHasRoles } from '../../utils/PermissionUtils'\nimport { Role } from '../../../../types/user/Role'\nimport { PermissionCheckStatus } from '../../../../types/permissions/PermissionCheckStatus'\n\n/*\n * Restricted patients can be accessed in the following circumstances:\n * - The user has the \"Inactive Bookings\" role\n * - The user is a POM user and has the supporting prison ID in their caseloads\n */\nexport default function restrictedPatientCheck(user: HmppsUser, prisoner: Prisoner): PermissionCheckStatus {\n  const { userRoles } = user\n  const pomUser = userHasRoles([Role.PomUser], userRoles)\n  const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles)\n\n  const userHasPrisonersSupportingPrisonInTheirCaseLoad = isInUsersCaseLoad(prisoner.supportingPrisonId, user)\n  const userIsPomUserWithSupportingPrisonInTheirCaseLoad = pomUser && userHasPrisonersSupportingPrisonInTheirCaseLoad\n\n  if (userIsPomUserWithSupportingPrisonInTheirCaseLoad) return PermissionCheckStatus.OK\n  if (inactiveBookingsUser) return PermissionCheckStatus.OK\n\n  return PermissionCheckStatus.RESTRICTED_PATIENT\n}\n","import { HmppsUser } from '../../../../types/user/HmppsUser'\nimport { userHasRoles } from '../../utils/PermissionUtils'\nimport { Role } from '../../../../types/user/Role'\nimport { PermissionCheckStatus } from '../../../../types/permissions/PermissionCheckStatus'\n\n/*\n * Released prisoners can be accessed in the following circumstances:\n * - The user has the \"Inactive Bookings\" role\n */\nexport default function releasedPrisonerCheck(user: HmppsUser): PermissionCheckStatus {\n  const { userRoles } = user\n  const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles)\n\n  if (inactiveBookingsUser) return PermissionCheckStatus.OK\n\n  return PermissionCheckStatus.PRISONER_IS_RELEASED\n}\n","import { HmppsUser } from '../../../../types/user/HmppsUser'\nimport { userHasRoles } from '../../utils/PermissionUtils'\nimport { Role } from '../../../../types/user/Role'\nimport { PermissionCheckStatus } from '../../../../types/permissions/PermissionCheckStatus'\n\n/*\n * Transferring prisoners can be accessed in the following circumstances:\n * - The user has the \"Global search\" role\n * - The user has the \"Inactive Bookings\" role\n */\nexport default function transferringPrisonerCheck(user: HmppsUser): PermissionCheckStatus {\n  const { userRoles } = user\n  const inactiveBookingsUser = userHasRoles([Role.InactiveBookings], userRoles)\n  const globalSearchUser = userHasRoles([Role.GlobalSearch], userRoles)\n\n  if (globalSearchUser) return PermissionCheckStatus.OK\n  if (inactiveBookingsUser) return PermissionCheckStatus.OK\n\n  return PermissionCheckStatus.PRISONER_IS_TRANSFERRING\n}\n","/*\n * The \"default\" access checks for accessing information about a prisoner.\n *\n * This function can be used for checking what we consider the \"base checks\" for accessing a page on the prisoner profile\n * when no other special cases are given.\n *\n * It provides the following options for special circumstances:\n *\n * - allowGlobal (default: true): Does the page allow access to users outside the prisoners current case load\n */\nimport { HmppsUser } from '../../../../types/user/HmppsUser'\nimport Prisoner from '../../../../data/hmppsPrisonerSearch/interfaces/Prisoner'\nimport { isInUsersCaseLoad, userHasRoles } from '../../utils/PermissionUtils'\nimport { Role } from '../../../../types/user/Role'\nimport { PermissionCheckStatus } from '../../../../types/permissions/PermissionCheckStatus'\nimport restrictedPatientCheck from './RestrictedPatientCheck'\nimport releasedPrisonerCheck from './ReleasedPrisonerCheck'\nimport transferringPrisonerCheck from './TransferingPrisonerCheck'\n\nexport default function baseCheck(user: HmppsUser, prisoner: Prisoner): PermissionCheckStatus {\n  const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user)\n  const globalSearchUser = userHasRoles([Role.GlobalSearch], user.userRoles)\n\n  if (prisoner.restrictedPatient) return restrictedPatientCheck(user, prisoner)\n  if (prisoner.prisonId === 'OUT') return releasedPrisonerCheck(user)\n  if (prisoner.prisonId === 'TRN') return transferringPrisonerCheck(user)\n  if (inUsersCaseLoad || globalSearchUser) return PermissionCheckStatus.OK\n\n  return PermissionCheckStatus.NOT_IN_CASELOAD\n}\n","import { RestClient, ApiConfig, AuthenticationClient, asSystem } from '@ministryofjustice/hmpps-rest-client'\nimport type Logger from 'bunyan'\nimport Prisoner from './interfaces/Prisoner'\n\nexport default class PrisonerSearchClient extends RestClient {\n  constructor(logger: Logger | Console, config: ApiConfig, authenticationClient: AuthenticationClient) {\n    super('Prisoner Search', config, logger, authenticationClient)\n  }\n\n  getPrisonerDetails(prisonerNumber: string): Promise<Prisoner> {\n    return this.get<Prisoner>({ path: `/prisoner/${prisonerNumber}` }, asSystem())\n  }\n}\n","import type bunyan from 'bunyan'\nimport { ApiConfig, AuthenticationClient } from '@ministryofjustice/hmpps-rest-client'\nimport { TelemetryClient } from 'applicationinsights'\nimport Prisoner from '../../data/hmppsPrisonerSearch/interfaces/Prisoner'\nimport PrisonApiClient from '../../data/prisonApi/PrisonApiClient'\nimport { HmppsUser } from '../../types/user/HmppsUser'\nimport PermissionsLogger from './PermissionsLogger'\nimport {\n  PrisonerBasePermission,\n  PrisonerPermission,\n  PrisonerPermissions,\n} from '../../types/permissions/prisoner/PrisonerPermissions'\nimport baseCheck from './checks/baseCheck/BaseCheck'\nimport { PermissionCheckStatus } from '../../types/permissions/PermissionCheckStatus'\nimport PrisonerSearchClient from '../../data/hmppsPrisonerSearch/PrisonerSearchClient'\n\nexport default class PermissionsService {\n  private readonly prisonApiClient: PrisonApiClient\n\n  private readonly prisonerSearchClient: PrisonerSearchClient\n\n  readonly permissionsLogger: PermissionsLogger\n\n  static create({\n    prisonApiConfig,\n    prisonerSearchConfig,\n    authenticationClient,\n    logger = console,\n    telemetryClient,\n  }: {\n    prisonApiConfig: ApiConfig\n    prisonerSearchConfig: ApiConfig\n    authenticationClient: AuthenticationClient\n    logger?: bunyan | typeof console\n    telemetryClient?: TelemetryClient\n  }): PermissionsService {\n    return new PermissionsService(\n      new PrisonApiClient(logger, prisonApiConfig),\n      new PrisonerSearchClient(logger, prisonerSearchConfig, authenticationClient),\n      new PermissionsLogger(logger, telemetryClient),\n    )\n  }\n\n  private constructor(\n    prisonApiClient: PrisonApiClient,\n    prisonerSearchClient: PrisonerSearchClient,\n    permissionsLogger: PermissionsLogger,\n  ) {\n    this.prisonApiClient = prisonApiClient\n    this.prisonerSearchClient = prisonerSearchClient\n    this.permissionsLogger = permissionsLogger\n  }\n\n  public getPrisonerPermissions({\n    user,\n    prisoner,\n    requestDependentOn,\n  }: {\n    user: HmppsUser\n    prisoner: Prisoner\n    requestDependentOn: PrisonerPermission[]\n  }): PrisonerPermissions {\n    const baseCheckStatus = baseCheck(user, prisoner)\n    const basePermission = PrisonerBasePermission.read\n\n    if (baseCheckStatus !== PermissionCheckStatus.OK && requestDependentOn.includes(basePermission)) {\n      this.permissionsLogger.logPermissionCheckStatus(user, prisoner, basePermission, baseCheckStatus)\n    }\n\n    return {\n      [PrisonerBasePermission.read]: baseCheckStatus === PermissionCheckStatus.OK,\n\n      // TODO:\n      // domainGroups: {\n      //    ...\n      // },\n    } as PrisonerPermissions\n  }\n\n  public async isUserAKeyWorkerAtPrison(token: string, user: HmppsUser, prison: string): Promise<boolean> {\n    if (user.authSource !== 'nomis') {\n      return Promise.resolve(false)\n    }\n    return this.prisonApiClient.isUserAKeyWorker(token, user.staffId, prison)\n  }\n\n  public getPrisonerDetails(prisonerNumber: string): Promise<Prisoner> {\n    return this.prisonerSearchClient.getPrisonerDetails(prisonerNumber)\n  }\n}\n","import { PrisonerPermission } from '../permissions/prisoner/PrisonerPermissions'\n\nexport default class PrisonerPermissionError extends Error {\n  public status = 403\n\n  public failedPermissionChecks: PrisonerPermission[]\n\n  constructor(message = 'Access not permitted', failedPermissionChecks: PrisonerPermission[] = []) {\n    super(message)\n    this.name = 'NotFoundError'\n    this.failedPermissionChecks = failedPermissionChecks\n  }\n}\n","import type { NextFunction, Request, Response } from 'express'\nimport { checkPrisonerAccess, PrisonerPermission } from '../types/permissions/prisoner/PrisonerPermissions'\nimport PermissionsService from '../services/permissions/PermissionsService'\nimport PrisonerPermissionError from '../types/errors/PrisonerPermissionError'\nimport Prisoner from '../data/hmppsPrisonerSearch/interfaces/Prisoner'\n\nexport default function prisonerPermissionsGuard(\n  permissionsService: PermissionsService,\n  options: {\n    requestDependentOn: PrisonerPermission[]\n    getPrisonerNumberFunction?: (req: Request) => string | undefined\n  },\n) {\n  const { requestDependentOn, getPrisonerNumberFunction = getPrisonerNumberFrom } = options\n\n  if (!requestDependentOn?.length) throw Error('Unprotected route, must provide at least one dependent permission')\n\n  return async (req: Request, res: Response, next: NextFunction) => {\n    const prisonerData = await getPrisonerData(req, permissionsService, getPrisonerNumberFunction)\n    if (!prisonerData) return next(Error('Could not retrieve prisoner data'))\n\n    await populateKeyWorkerData(req, res, prisonerData, permissionsService)\n\n    const prisonerPermissions = permissionsService.getPrisonerPermissions({\n      user: res.locals.user,\n      prisoner: prisonerData,\n      requestDependentOn,\n    })\n\n    const failedChecks = requestDependentOn.filter(permission => !checkPrisonerAccess(permission, prisonerPermissions))\n\n    if (failedChecks.length) return next(new PrisonerPermissionError('Failed permissions checks', failedChecks))\n\n    req.middleware = { ...req.middleware, prisonerData }\n    res.locals.prisonerPermissions = prisonerPermissions\n    return next()\n  }\n}\n\nfunction getPrisonerNumberFrom(req: Request): string | undefined {\n  if (req.params?.prisonerNumber) {\n    return req.params.prisonerNumber\n  }\n  if (req.query?.prisonerNumber) {\n    return req.query.prisonerNumber as string\n  }\n  return undefined\n}\n\nasync function getPrisonerData(\n  req: Request,\n  permissionsService: PermissionsService,\n  getPrisonerNumberFunction: (req: Request) => string | undefined,\n): Promise<Prisoner | undefined> {\n  if (req.middleware?.prisonerData) return req.middleware?.prisonerData\n  const prisonerNumber = getPrisonerNumberFunction(req)\n  return prisonerNumber ? permissionsService.getPrisonerDetails(prisonerNumber) : undefined\n}\n\nasync function populateKeyWorkerData(\n  req: Request,\n  res: Response,\n  prisoner: Prisoner,\n  permissionsService: PermissionsService,\n): Promise<void> {\n  if (res.locals.user?.authSource !== 'nomis') return\n\n  const userCaseLoads = res.locals.user?.caseLoads?.map(caseLoad => caseLoad.caseLoadId)\n\n  if (!req.session) throw new Error('User session required in order to cache key worker status')\n  const keyWorkerAtPrisons = req.session.keyWorkerAtPrisons ?? {}\n\n  if (\n    prisoner.prisonId &&\n    userCaseLoads?.includes(prisoner.prisonId) &&\n    keyWorkerAtPrisons[prisoner.prisonId] === undefined\n  ) {\n    req.session.keyWorkerAtPrisons = {\n      ...keyWorkerAtPrisons,\n      [prisoner.prisonId]: await permissionsService.isUserAKeyWorkerAtPrison(\n        res.locals.user.token!,\n        res.locals.user,\n        prisoner.prisonId,\n      ),\n    }\n  }\n\n  // This information is then provided to the user object on res.locals\n  res.locals.user.keyWorkerAtPrisons = req.session.keyWorkerAtPrisons || {}\n}\n"],"names":["RestClient","asUser","PrisonerBasePermission","asSystem"],"mappings":";;;;AAGqB,MAAA,eAAgB,SAAQA,0BAAU,CAAA;IACrD,WAAY,CAAA,MAAwB,EAAE,MAAiB,EAAA;AACrD,QAAA,KAAK,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC;;AAGrC,IAAA,gBAAgB,CAAC,SAAiB,EAAE,OAAe,EAAE,QAAgB,EAAA;AACnE,QAAA,OAAO,IAAI,CAAC,GAAG,CAAU,EAAE,IAAI,EAAE,CAAc,WAAA,EAAA,OAAO,IAAI,QAAQ,CAAA,SAAA,CAAW,EAAE,EAAEC,sBAAM,CAAC,SAAS,CAAC,CAAC;;AAEtG;;ACXD;AACA,IAAY,qBAOX;AAPD,CAAA,UAAY,qBAAqB,EAAA;AAC/B,IAAA,qBAAA,CAAA,eAAA,CAAA,GAAA,eAA+B;AAC/B,IAAA,qBAAA,CAAA,iBAAA,CAAA,GAAA,iBAAmC;AACnC,IAAA,qBAAA,CAAA,oBAAA,CAAA,GAAA,oBAAyC;AACzC,IAAA,qBAAA,CAAA,sBAAA,CAAA,GAAA,sBAA6C;AAC7C,IAAA,qBAAA,CAAA,0BAAA,CAAA,GAAA,0BAAqD;AACrD,IAAA,qBAAA,CAAA,IAAA,CAAA,GAAA,IAAS;AACX,CAAC,EAPW,qBAAqB,KAArB,qBAAqB,GAOhC,EAAA,CAAA,CAAA;;ACDa,MAAO,iBAAiB,CAAA;AAEjB,IAAA,MAAA;AACA,IAAA,eAAA;IAFnB,WACmB,CAAA,MAAwB,EACxB,eAAiC,EAAA;QADjC,IAAM,CAAA,MAAA,GAAN,MAAM;QACN,IAAe,CAAA,eAAA,GAAf,eAAe;;AAGlC,IAAA,wBAAwB,CACtB,IAAe,EACf,QAAkB,EAClB,UAA8B,EAC9B,qBAA4C,EAAA;AAE5C,QAAA,IAAI,qBAAqB,KAAK,qBAAqB,CAAC,EAAE;YAAE;AAExD,QAAA,IAAI,IAAI,CAAC,eAAe,EAAE;AACxB,YAAA,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC;AAC9B,gBAAA,IAAI,EAAE,kCAAkC;AACxC,gBAAA,UAAU,EAAE;oBACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,cAAc,EAAE,QAAQ,CAAC,cAAc;oBACvC,cAAc,EAAE,IAAI,CAAC,UAAU,KAAK,OAAO,IAAI,IAAI,CAAC,gBAAgB;AACpE,oBAAA,iBAAiB,EAAE,UAAU;AAC7B,oBAAA,MAAM,EAAE,qBAAqB;AAC9B,iBAAA;AACF,aAAA,CAAC;;aACG;AACL,YAAA,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,CAAqC,kCAAA,EAAA,UAAU,CAAK,EAAA,EAAA,qBAAqB,cAAc,IAAI,CAAC,QAAQ,CAAA,CAAE,CACvG;;;AAGN;;ACtCWC;AAAZ,CAAA,UAAY,sBAAsB,EAAA;AAChC,IAAA,sBAAA,CAAA,MAAA,CAAA,GAAA,2BAAkC;AACpC,CAAC,EAFWA,8BAAsB,KAAtBA,8BAAsB,GAEjC,EAAA,CAAA,CAAA;AAgBe,SAAA,mBAAmB,CAAC,UAA8B,EAAE,WAAgC,EAAA;AAClG,IAAA,IAAI,UAAU,KAAKA,8BAAsB,CAAC,IAAI,EAAE;AAC9C,QAAA,OAAO,WAAW,CAACA,8BAAsB,CAAC,IAAI,CAAC;;;AAKjD,IAAA,OAAO,KAAK;AACd;;ACxBO,MAAM,iBAAiB,GAAG,CAAC,QAA4B,EAAE,IAAe,KAC7E,IAAI,CAAC,UAAU,KAAK,OAAO,IAAI,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC;AAE5F,MAAM,YAAY,GAAG,CAAC,YAAsB,EAAE,SAAmB,KAAa;AACnF,IAAA,MAAM,iBAAiB,GAAG,CAAC,IAAY,KAAa,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;IAC7E,OAAO,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC1G,CAAC;;ACRD;AACA,IAAY,IAKX;AALD,CAAA,UAAY,IAAI,EAAA;AACd,IAAA,IAAA,CAAA,cAAA,CAAA,GAAA,oBAAmC;AACnC,IAAA,IAAA,CAAA,kBAAA,CAAA,GAAA,wBAA2C;AAC3C,IAAA,IAAA,CAAA,SAAA,CAAA,GAAA,UAAoB;AACpB,IAAA,IAAA,CAAA,YAAA,CAAA,GAAA,aAA0B;AAC5B,CAAC,EALW,IAAI,KAAJ,IAAI,GAKf,EAAA,CAAA,CAAA;;ACAD;;;;AAIG;AACW,SAAU,sBAAsB,CAAC,IAAe,EAAE,QAAkB,EAAA;AAChF,IAAA,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI;AAC1B,IAAA,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;AACvD,IAAA,MAAM,oBAAoB,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,SAAS,CAAC;IAE7E,MAAM,+CAA+C,GAAG,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,EAAE,IAAI,CAAC;AAC5G,IAAA,MAAM,gDAAgD,GAAG,OAAO,IAAI,+CAA+C;AAEnH,IAAA,IAAI,gDAAgD;QAAE,OAAO,qBAAqB,CAAC,EAAE;AACrF,IAAA,IAAI,oBAAoB;QAAE,OAAO,qBAAqB,CAAC,EAAE;IAEzD,OAAO,qBAAqB,CAAC,kBAAkB;AACjD;;AClBA;;;AAGG;AACqB,SAAA,qBAAqB,CAAC,IAAe,EAAA;AAC3D,IAAA,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI;AAC1B,IAAA,MAAM,oBAAoB,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,SAAS,CAAC;AAE7E,IAAA,IAAI,oBAAoB;QAAE,OAAO,qBAAqB,CAAC,EAAE;IAEzD,OAAO,qBAAqB,CAAC,oBAAoB;AACnD;;ACXA;;;;AAIG;AACqB,SAAA,yBAAyB,CAAC,IAAe,EAAA;AAC/D,IAAA,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI;AAC1B,IAAA,MAAM,oBAAoB,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,SAAS,CAAC;AAC7E,IAAA,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,SAAS,CAAC;AAErE,IAAA,IAAI,gBAAgB;QAAE,OAAO,qBAAqB,CAAC,EAAE;AACrD,IAAA,IAAI,oBAAoB;QAAE,OAAO,qBAAqB,CAAC,EAAE;IAEzD,OAAO,qBAAqB,CAAC,wBAAwB;AACvD;;ACAc,SAAU,SAAS,CAAC,IAAe,EAAE,QAAkB,EAAA;IACnE,MAAM,eAAe,GAAG,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;AAClE,IAAA,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC;IAE1E,IAAI,QAAQ,CAAC,iBAAiB;AAAE,QAAA,OAAO,sBAAsB,CAAC,IAAI,EAAE,QAAQ,CAAC;AAC7E,IAAA,IAAI,QAAQ,CAAC,QAAQ,KAAK,KAAK;AAAE,QAAA,OAAO,qBAAqB,CAAC,IAAI,CAAC;AACnE,IAAA,IAAI,QAAQ,CAAC,QAAQ,KAAK,KAAK;AAAE,QAAA,OAAO,yBAAyB,CAAC,IAAI,CAAC;IACvE,IAAI,eAAe,IAAI,gBAAgB;QAAE,OAAO,qBAAqB,CAAC,EAAE;IAExE,OAAO,qBAAqB,CAAC,eAAe;AAC9C;;ACzBqB,MAAA,oBAAqB,SAAQF,0BAAU,CAAA;AAC1D,IAAA,WAAA,CAAY,MAAwB,EAAE,MAAiB,EAAE,oBAA0C,EAAA;QACjG,KAAK,CAAC,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,oBAAoB,CAAC;;AAGhE,IAAA,kBAAkB,CAAC,cAAsB,EAAA;AACvC,QAAA,OAAO,IAAI,CAAC,GAAG,CAAW,EAAE,IAAI,EAAE,CAAa,UAAA,EAAA,cAAc,EAAE,EAAE,EAAEG,wBAAQ,EAAE,CAAC;;AAEjF;;ACIa,MAAO,kBAAkB,CAAA;AACpB,IAAA,eAAe;AAEf,IAAA,oBAAoB;AAE5B,IAAA,iBAAiB;AAE1B,IAAA,OAAO,MAAM,CAAC,EACZ,eAAe,EACf,oBAAoB,EACpB,oBAAoB,EACpB,MAAM,GAAG,OAAO,EAChB,eAAe,GAOhB,EAAA;AACC,QAAA,OAAO,IAAI,kBAAkB,CAC3B,IAAI,eAAe,CAAC,MAAM,EAAE,eAAe,CAAC,EAC5C,IAAI,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,EAAE,oBAAoB,CAAC,EAC5E,IAAI,iBAAiB,CAAC,MAAM,EAAE,eAAe,CAAC,CAC/C;;AAGH,IAAA,WAAA,CACE,eAAgC,EAChC,oBAA0C,EAC1C,iBAAoC,EAAA;AAEpC,QAAA,IAAI,CAAC,eAAe,GAAG,eAAe;AACtC,QAAA,IAAI,CAAC,oBAAoB,GAAG,oBAAoB;AAChD,QAAA,IAAI,CAAC,iBAAiB,GAAG,iBAAiB;;AAGrC,IAAA,sBAAsB,CAAC,EAC5B,IAAI,EACJ,QAAQ,EACR,kBAAkB,GAKnB,EAAA;QACC,MAAM,eAAe,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC;AACjD,QAAA,MAAM,cAAc,GAAGD,8BAAsB,CAAC,IAAI;AAElD,QAAA,IAAI,eAAe,KAAK,qBAAqB,CAAC,EAAE,IAAI,kBAAkB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE;AAC/F,YAAA,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,eAAe,CAAC;;QAGlG,OAAO;YACL,CAACA,8BAAsB,CAAC,IAAI,GAAG,eAAe,KAAK,qBAAqB,CAAC,EAAE;;;;;SAMrD;;AAGnB,IAAA,MAAM,wBAAwB,CAAC,KAAa,EAAE,IAAe,EAAE,MAAc,EAAA;AAClF,QAAA,IAAI,IAAI,CAAC,UAAU,KAAK,OAAO,EAAE;AAC/B,YAAA,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC;;AAE/B,QAAA,OAAO,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC;;AAGpE,IAAA,kBAAkB,CAAC,cAAsB,EAAA;QAC9C,OAAO,IAAI,CAAC,oBAAoB,CAAC,kBAAkB,CAAC,cAAc,CAAC;;AAEtE;;ACvFoB,MAAA,uBAAwB,SAAQ,KAAK,CAAA;IACjD,MAAM,GAAG,GAAG;AAEZ,IAAA,sBAAsB;AAE7B,IAAA,WAAA,CAAY,OAAO,GAAG,sBAAsB,EAAE,yBAA+C,EAAE,EAAA;QAC7F,KAAK,CAAC,OAAO,CAAC;AACd,QAAA,IAAI,CAAC,IAAI,GAAG,eAAe;AAC3B,QAAA,IAAI,CAAC,sBAAsB,GAAG,sBAAsB;;AAEvD;;ACNa,SAAU,wBAAwB,CAC9C,kBAAsC,EACtC,OAGC,EAAA;IAED,MAAM,EAAE,kBAAkB,EAAE,yBAAyB,GAAG,qBAAqB,EAAE,GAAG,OAAO;IAEzF,IAAI,CAAC,kBAAkB,EAAE,MAAM;AAAE,QAAA,MAAM,KAAK,CAAC,mEAAmE,CAAC;IAEjH,OAAO,OAAO,GAAY,EAAE,GAAa,EAAE,IAAkB,KAAI;QAC/D,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,kBAAkB,EAAE,yBAAyB,CAAC;AAC9F,QAAA,IAAI,CAAC,YAAY;AAAE,YAAA,OAAO,IAAI,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAEzE,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,kBAAkB,CAAC;AAEvE,QAAA,MAAM,mBAAmB,GAAG,kBAAkB,CAAC,sBAAsB,CAAC;AACpE,YAAA,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;AACrB,YAAA,QAAQ,EAAE,YAAY;YACtB,kBAAkB;AACnB,SAAA,CAAC;AAEF,QAAA,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,mBAAmB,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;QAEnH,IAAI,YAAY,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,IAAI,uBAAuB,CAAC,2BAA2B,EAAE,YAAY,CAAC,CAAC;QAE5G,GAAG,CAAC,UAAU,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE;AACpD,QAAA,GAAG,CAAC,MAAM,CAAC,mBAAmB,GAAG,mBAAmB;QACpD,OAAO,IAAI,EAAE;AACf,KAAC;AACH;AAEA,SAAS,qBAAqB,CAAC,GAAY,EAAA;AACzC,IAAA,IAAI,GAAG,CAAC,MAAM,EAAE,cAAc,EAAE;AAC9B,QAAA,OAAO,GAAG,CAAC,MAAM,CAAC,cAAc;;AAElC,IAAA,IAAI,GAAG,CAAC,KAAK,EAAE,cAAc,EAAE;AAC7B,QAAA,OAAO,GAAG,CAAC,KAAK,CAAC,cAAwB;;AAE3C,IAAA,OAAO,SAAS;AAClB;AAEA,eAAe,eAAe,CAC5B,GAAY,EACZ,kBAAsC,EACtC,yBAA+D,EAAA;AAE/D,IAAA,IAAI,GAAG,CAAC,UAAU,EAAE,YAAY;AAAE,QAAA,OAAO,GAAG,CAAC,UAAU,EAAE,YAAY;AACrE,IAAA,MAAM,cAAc,GAAG,yBAAyB,CAAC,GAAG,CAAC;AACrD,IAAA,OAAO,cAAc,GAAG,kBAAkB,CAAC,kBAAkB,CAAC,cAAc,CAAC,GAAG,SAAS;AAC3F;AAEA,eAAe,qBAAqB,CAClC,GAAY,EACZ,GAAa,EACb,QAAkB,EAClB,kBAAsC,EAAA;IAEtC,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO;QAAE;IAE7C,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,CAAC,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC;IAEtF,IAAI,CAAC,GAAG,CAAC,OAAO;AAAE,QAAA,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC;IAC9F,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,kBAAkB,IAAI,EAAE;IAE/D,IACE,QAAQ,CAAC,QAAQ;AACjB,QAAA,aAAa,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC1C,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,SAAS,EACnD;AACA,QAAA,GAAG,CAAC,OAAO,CAAC,kBAAkB,GAAG;AAC/B,YAAA,GAAG,kBAAkB;YACrB,CAAC,QAAQ,CAAC,QAAQ,GAAG,MAAM,kBAAkB,CAAC,wBAAwB,CACpE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAM,EACtB,GAAG,CAAC,MAAM,CAAC,IAAI,EACf,QAAQ,CAAC,QAAQ,CAClB;SACF;;;AAIH,IAAA,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,kBAAkB,IAAI,EAAE;AAC3E;;;;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,147 @@
+import { ApiConfig, AuthenticationClient } from '@ministryofjustice/hmpps-rest-client';
+import { TelemetryClient } from 'applicationinsights';
+import bunyan from 'bunyan';
+import { Request, Response, NextFunction } from 'express';
+
+interface PermissionsOptions {
+    prisonApiConfig: ApiConfig;
+    prisonerSearchConfig: ApiConfig;
+    logger?: bunyan | typeof console;
+    telemetryClient?: TelemetryClient;
+}
+
+declare enum PrisonerBasePermission {
+    read = "prisoner:base-record:read"
+}
+/**
+ * These permissions define what a HMPPS user can do with respect to data held about a prisoner.
+ */
+interface PrisonerPermissions {
+    [PrisonerBasePermission.read]: boolean;
+}
+type PrisonerPermission = PrisonerBasePermission;
+declare function checkPrisonerAccess(permission: PrisonerPermission, permissions: PrisonerPermissions): boolean;
+
+interface Prisoner {
+    prisonerNumber: string;
+    prisonId?: string;
+    restrictedPatient: boolean;
+    supportingPrisonId?: string;
+}
+
+interface CaseLoad {
+    caseLoadId: string;
+    description: string;
+    type: string;
+    caseloadFunction: string;
+    currentlyActive: boolean;
+}
+
+type AuthSource = 'nomis' | 'delius' | 'external' | 'azuread';
+/**
+ * These are the details that all user types share.
+ */
+interface BaseUser {
+    authSource: AuthSource;
+    username: string;
+    userId: string;
+    name: string;
+    displayName: string;
+    userRoles: string[];
+    token?: string;
+    backLink?: string;
+}
+/**
+ * Prison users are those that have a user account in NOMIS.
+ * HMPPS Auth automatically grants these users a `ROLE_PRISON` role.
+ * Prison users have an additional numerical staffId. The userId is
+ * a stringified version of the staffId. Some teams may need to separately
+ * retrieve the user case load (which prisons that a prison user has access
+ * to) and store it here, an example can be found in `hmpps-prisoner-profile`.
+ */
+interface PrisonUser extends BaseUser {
+    authSource: 'nomis';
+    staffId: number;
+    activeCaseLoadId: string;
+    caseLoads: CaseLoad[];
+    keyWorkerAtPrisons: Record<string, boolean>;
+}
+/**
+ * Probation users are those that have a user account in nDelius.
+ * HMPPS Auth automatically grants these users a `ROLE_PROBATION` role.
+ */
+interface ProbationUser extends BaseUser {
+    authSource: 'delius';
+}
+/**
+ * External users are those that have a user account in our External Users
+ * database. These accounts are created for users that need access to HMPPS
+ * services but have neither NOMIS nor nDelius access.
+ */
+interface ExternalUser extends BaseUser {
+    authSource: 'external';
+}
+/**
+ * AzureAD users are those that have a justice.gov.uk email address and
+ * an account in MoJ's Azure AD (now called Entra ID) tenant. HMPPS Auth
+ * will normally check to see if there is a Prison/Probation/External
+ * user with the same email address and request that the user to pick one
+ * to use to access the service, however if there is no match, it is
+ * possible that a user of this type could attempt to access the service,
+ * and would have no user roles associated.
+ */
+interface AzureADUser extends BaseUser {
+    authSource: 'azuread';
+}
+type HmppsUser = PrisonUser | ProbationUser | ExternalUser | AzureADUser;
+
+declare enum PermissionCheckStatus {
+    NOT_PERMITTED = "NOT_PERMITTED",// Generic not permitted status - default
+    NOT_IN_CASELOAD = "NOT_IN_CASELOAD",
+    RESTRICTED_PATIENT = "RESTRICTED_PATIENT",
+    PRISONER_IS_RELEASED = "PRISONER_IS_RELEASED",
+    PRISONER_IS_TRANSFERRING = "PRISONER_IS_TRANSFERRING",
+    OK = "OK"
+}
+
+declare class PermissionsLogger {
+    private readonly logger;
+    private readonly telemetryClient?;
+    constructor(logger: bunyan | Console, telemetryClient?: TelemetryClient | undefined);
+    logPermissionCheckStatus(user: HmppsUser, prisoner: Prisoner, permission: PrisonerPermission, permissionCheckStatus: PermissionCheckStatus): void;
+}
+
+declare class PermissionsService {
+    private readonly prisonApiClient;
+    private readonly prisonerSearchClient;
+    readonly permissionsLogger: PermissionsLogger;
+    static create({ prisonApiConfig, prisonerSearchConfig, authenticationClient, logger, telemetryClient, }: {
+        prisonApiConfig: ApiConfig;
+        prisonerSearchConfig: ApiConfig;
+        authenticationClient: AuthenticationClient;
+        logger?: bunyan | typeof console;
+        telemetryClient?: TelemetryClient;
+    }): PermissionsService;
+    private constructor();
+    getPrisonerPermissions({ user, prisoner, requestDependentOn, }: {
+        user: HmppsUser;
+        prisoner: Prisoner;
+        requestDependentOn: PrisonerPermission[];
+    }): PrisonerPermissions;
+    isUserAKeyWorkerAtPrison(token: string, user: HmppsUser, prison: string): Promise<boolean>;
+    getPrisonerDetails(prisonerNumber: string): Promise<Prisoner>;
+}
+
+declare function prisonerPermissionsGuard(permissionsService: PermissionsService, options: {
+    requestDependentOn: PrisonerPermission[];
+    getPrisonerNumberFunction?: (req: Request) => string | undefined;
+}): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+declare class PrisonerPermissionError extends Error {
+    status: number;
+    failedPermissionChecks: PrisonerPermission[];
+    constructor(message?: string, failedPermissionChecks?: PrisonerPermission[]);
+}
+
+export { PrisonerPermissionError as HmppsPermissionsError, PermissionsService, PrisonerBasePermission, checkPrisonerAccess, prisonerPermissionsGuard };
+export type { PermissionsOptions, PrisonerPermission };