BB2-4144: Updated error handling for BFD errors during auth flow (#1381)

* Updated error handling for BFD errors during auth flow

* Remove early return (was for testing purposes)

* Fix tests

* Fix test (for real this time)

Author: jimmyfagan

apps/fhir/server/authentication.py

@@ -103,6 +103,8 @@ def search_fhir_id_by_identifier(search_identifier, request=None):
             if err_detail is not None:
                 raise UpstreamServerException(err_detail)
             return fhir_id
+        except requests.exceptions.HTTPError as e:
+            raise UpstreamServerException(e)
         except requests.exceptions.SSLError as e:
             if retries < max_retries and (env is None or env == 'DEV'):
                 # Checking target_env ensures the retry logic only happens on local
@@ -146,22 +148,23 @@ def match_fhir_id(mbi, mbi_hash, hicn_hash, request=None):
             return fhir_id, "M"
 
     # Perform secondary lookup using HICN_HASH
-    try:
-        fhir_id = search_fhir_id_by_identifier_hicn_hash(hicn_hash, request)
-    except UpstreamServerException as err:
-        log_match_fhir_id(request, None, mbi_hash, hicn_hash, False, "H", str(err))
-        # Don't return a 404 because retrying later will not fix this.
-        raise UpstreamServerException(err.detail)
-
-    if fhir_id:
-        # Found beneficiary!
-        log_match_fhir_id(request, fhir_id, mbi_hash, hicn_hash, True, "H",
-                          "FOUND beneficiary via hicn_hash")
-        return fhir_id, "H"
-    else:
-        log_match_fhir_id(request, fhir_id, mbi_hash, hicn_hash, False, None,
-                          "FHIR ID NOT FOUND for both mbi_hash and hicn_hash")
-        raise exceptions.NotFound("The requested Beneficiary has no entry, however this may change")
+    if hicn_hash:
+        try:
+            fhir_id = search_fhir_id_by_identifier_hicn_hash(hicn_hash, request)
+        except UpstreamServerException as err:
+            log_match_fhir_id(request, None, mbi_hash, hicn_hash, False, "H", str(err))
+            # Don't return a 404 because retrying later will not fix this.
+            raise UpstreamServerException(err.detail)
+
+        if fhir_id:
+            # Found beneficiary!
+            log_match_fhir_id(request, fhir_id, mbi_hash, hicn_hash, True, "H",
+                              "FOUND beneficiary via hicn_hash")
+            return fhir_id, "H"
+
+    log_match_fhir_id(request, fhir_id, mbi_hash, hicn_hash, False, None,
+                      "FHIR ID NOT FOUND for both mbi_hash and hicn_hash")
+    raise exceptions.NotFound("The requested Beneficiary has no entry, however this may change")
 
 
 def _validate_patient_search_result(bundle_of_patients):

apps/fhir/server/tests/test_authentication.py

@@ -3,7 +3,6 @@
 from django.test import RequestFactory
 from django.test.client import Client
 from httmock import HTTMock, urlmatch
-from requests.exceptions import HTTPError
 from rest_framework import exceptions
 
 from apps.fhir.bluebutton.exceptions import UpstreamServerException
@@ -111,7 +110,7 @@ def test_match_fhir_id_server_hicn_error(self):
             Expecting: HTTPError exception raised
         '''
         with HTTMock(self.create_fhir_mock(self.ERROR_KEY, self.NOT_FOUND_KEY)):
-            with self.assertRaises(HTTPError):
+            with self.assertRaises(UpstreamServerException):
                 fhir_id, hash_lookup_type = match_fhir_id(
                     mbi=self.test_mbi,
                     mbi_hash=self.test_mbi_hash,
@@ -124,7 +123,7 @@ def test_match_fhir_id_server_mbi_error(self):
             Expecting: HTTPError exception raised
         '''
         with HTTMock(self.create_fhir_mock(self.NOT_FOUND_KEY, self.ERROR_KEY)):
-            with self.assertRaises(HTTPError):
+            with self.assertRaises(UpstreamServerException):
                 fhir_id, hash_lookup_type = match_fhir_id(
                     mbi=self.test_mbi,
                     mbi_hash=self.test_mbi_hash,

apps/mymedicare_cb/models.py

@@ -23,7 +23,7 @@ class BBMyMedicareCallbackCrosswalkUpdateException(APIException):
     status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
 
 
-def get_and_update_user(slsx_client: OAuth2ConfigSLSx, request=None):
+def get_and_update_user(slsx_client: OAuth2ConfigSLSx, request=None, version=2):
     """
     Find or create the user associated
     with the identity information from the ID provider.
@@ -53,10 +53,15 @@ def get_and_update_user(slsx_client: OAuth2ConfigSLSx, request=None):
     logger = logging.getLogger(logging.AUDIT_AUTHN_MED_CALLBACK_LOGGER, request)
 
     # Match a patient identifier via the backend FHIR server
+    if version == 3:
+        hicn_hash = None
+    else:
+        hicn_hash = slsx_client.hicn_hash
+
     fhir_id, hash_lookup_type = match_fhir_id(
         mbi=slsx_client.mbi,
         mbi_hash=slsx_client.mbi_hash,
-        hicn_hash=slsx_client.hicn_hash, request=request
+        hicn_hash=hicn_hash, request=request
     )
 
     log_dict = {

apps/mymedicare_cb/views.py

@@ -22,14 +22,15 @@
 from apps.dot_ext.models import Approval
 from apps.mymedicare_cb.models import (BBMyMedicareCallbackCrosswalkCreateException,
                                        BBMyMedicareCallbackCrosswalkUpdateException)
+from apps.fhir.bluebutton.exceptions import UpstreamServerException
 from .authorization import (OAuth2ConfigSLSx,
                             MedicareCallbackExceptionType,
                             BBMyMedicareCallbackAuthenticateSlsUserInfoValidateException)
 from .models import AnonUserState, get_and_update_user
 
 
 # For SLSx auth workflow info, see apps/mymedicare_db/README.md
-def authenticate(request):
+def authenticate(request, version=2):
     # Update authorization flow from previously stored state in AuthFlowUuid instance in mymedicare_login().
     request_state = request.GET.get('relay')
 
@@ -63,7 +64,7 @@ def authenticate(request):
     slsx_client.log_event(request, {})
 
     # Find or create the user associated with the identity information from SLS.
-    user, crosswalk_action = get_and_update_user(slsx_client, request=request)
+    user, crosswalk_action = get_and_update_user(slsx_client, request=request, version=version)
 
     # Set crosswalk_action and get auth flow session values.
     set_session_auth_flow_trace_value(request, 'auth_crosswalk_action', crosswalk_action)
@@ -105,7 +106,7 @@ def callback(request, version=2):
 
     user_not_found_error = None
     try:
-        authenticate(request)
+        authenticate(request, version=version)
     except ValidationError as e:
         return JsonResponse({
             "error": e.message,
@@ -125,6 +126,12 @@ def callback(request, version=2):
         return JsonResponse({
             "error": e.detail,
         }, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+    except UpstreamServerException:
+        # Return more generic message to users to prevent oversharing information
+        # Full error details will be available in logs from match_fhir_id
+        return JsonResponse({
+            "error": "Failed to retrieve data from data source."
+        }, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
     scheme, netloc, path, query_string, fragment = urlsplit(next_uri)