Merge branch 'main' into enable-cis2-in-test

README.md

@@ -265,28 +265,41 @@ This service uses [NHS's CIS2 Care Identity Authentication
 service](https://digital.nhs.uk/developer/api-catalogue/nhs-cis2-care-identity-authentication)
 to perform OIDC authentication for users.
 
-You can retrieve the issuer URL from the appropriate endpoint listed on [CIS2 Guidance Discovery
-page](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/guidance-for-developers/detailed-guidance/discovery):
+You can retrieve the issuer URL from the appropriate endpoint listed on [CIS2
+Guidance Discovery page]
+(https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/guidance-for-developers/detailed-guidance/discovery)
+(note: the dev env is being deprecated and will be removed):
 
 ```sh
-$ curl -s https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/oidc/.well-known/openid-configuration | jq ".issuer"
-"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc"
+$ curl -s https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration | jq .issuer
+"https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare"
 ```
 
-New client ids and secrets can be obtained from the NHS CIS2 Authentication team
-(<[email protected]>).
+Clients can be configured via CIS2 Connection Manager, please contact other team
+members to get the details for that. Mavis can use either a client secret or a
+private key JWT when authenticating requests to CIS2, these are configured with
+the Connection Manager too.
 
-Put the `issuer`, `client_id` and `secret` into the Settings for your env, and
-ensure cis2 is enabled:
+Once you've created a client config, put the `client_id` and
+`secret`/`private_key` into your local settings and ensure cis2 is enabled. For
+deployed environments these parameters need to be places into our AWS parameter
+store and are environment-specific. Here's an example of a full settings section
+using a `client_secret`:
 
 ```yml
 cis2:
   enabled: true
-  issuer: "https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc"
-  client_id: CLIENT_ID
-  secret: SECRET
+  issuer: https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcareopenam/oauth2/realms/root/realms/oidc"
+  client_id: # Only include for local settings, otherwise populate in AWS parameter store
+  secret: # Only include for local settings, otherwise populate in AWS parameter store
 ```
 
+When configuring a new `private_key` for production, for example (which must
+have it's own key), you'll need to add the public key PEM to `PagesController#jwks`
+so that it can be served out from the `/oidc/jwks` endpoint. CIS2 will use this
+to decrypt JWKs when using the `private_key_jwk` authentication method. These
+keys should be rotated on a regular basis.
+
 ## Rake tasks
 
 - `clinics:create[name,address,town,postcode,ods_code,team_ods_code]`

app/components/app_outcome_banner_component.rb

@@ -80,7 +80,7 @@ def clinician_name
     if clinician == @current_user
       "You (#{clinician.full_name})"
     else
-      clinician.full_name
+      clinician&.full_name || "Unknown"
     end
   end
 

app/components/app_simple_status_banner_component.html.erb

@@ -2,9 +2,9 @@
   <% c.with_heading { heading } %>
   <p><%= I18n.t("patient_session_statuses.#{state}.banner_explanation",
                 default: "", full_name:, nurse:, who_refused:) %></p>
-  <% if state.in? %w[delay_vaccination
+  <% if state.in?(%w[delay_vaccination
                      triaged_ready_to_vaccinate
-                     triaged_do_not_vaccinate] %>
+                     triaged_do_not_vaccinate]) && helpers.policy(Triage).edit? %>
     <p>
       <%= link_to "Update triage outcome", new_session_patient_triages_path(
             session_id: @patient_session.session.id,

app/controllers/consent_forms_controller.rb

@@ -14,7 +14,7 @@ def unmatched_responses
   def show
     @patient_sessions =
       @consent_form
-        .scheduled_session
+        .original_session
         .patient_sessions
         .includes(:patient)
         .order("patients.family_name")
@@ -39,7 +39,7 @@ def match
       heading_link_text: patient.full_name,
       heading_link_href:
         session_patient_path(
-          patient.upcoming_sessions.first || @consent_form.scheduled_session,
+          patient.upcoming_sessions.first || @consent_form.original_session,
           id: patient.id,
           section: "triage",
           tab: "given"

app/controllers/parent_interface/consent_forms/base_controller.rb

@@ -13,7 +13,7 @@ class ConsentForms::BaseController < ApplicationController
 
     def set_consent_form
       @consent_form = ConsentForm.find(params[:consent_form_id] || params[:id])
-      @session = @consent_form.scheduled_session
+      @session = @consent_form.original_session
       @programme = @consent_form.programme
       @team = @consent_form.team
     end

app/controllers/parent_interface/consent_forms/edit_controller.rb

@@ -10,6 +10,8 @@ class ConsentForms::EditController < ConsentForms::BaseController
     before_action :set_health_answer, if: :is_health_question_step?
     before_action :set_follow_up_changes_start_page, only: %i[show]
 
+    HOME_EDUCATED_SCHOOL_ID = "home-educated"
+
     def show
       render_wizard
     end
@@ -24,8 +26,15 @@ def update
           wizard_step: current_step,
           health_question_number: @question_number
         )
+      elsif step == "school" &&
+            update_params[:school_id] == HOME_EDUCATED_SCHOOL_ID
+        model.assign_attributes(
+          school: nil,
+          home_educated: true,
+          wizard_step: current_step
+        )
       else
-        model.assign_attributes(update_params)
+        model.assign_attributes(wizard_step: current_step, **update_params)
       end
 
       if current_step == :parent &&
@@ -84,10 +93,7 @@ def update_params
         address: %i[address_line_1 address_line_2 address_town address_postcode]
       }.fetch(current_step)
 
-      params
-        .fetch(:consent_form, {})
-        .permit(permitted_attributes)
-        .merge(wizard_step: current_step)
+      params.fetch(:consent_form, {}).permit(permitted_attributes)
     end
 
     def health_answer_params

app/controllers/users/omniauth_callbacks_controller.rb

@@ -96,4 +96,8 @@ def set_cis2_session_info
       "has_other_roles" => raw_cis2_info["nhsid_nrbac_roles"].length > 1
     }
   end
+
+  def after_omniauth_failure_path_for(_scope)
+    root_path
+  end
 end

app/controllers/vaccinations/edit_controller.rb

@@ -94,12 +94,13 @@ def set_steps
 
   def set_draft_vaccination_record
     @draft_vaccination_record = @patient_session.draft_vaccination_record
+
     if (session[:delivery_site_other] = "true")
       @draft_vaccination_record.delivery_site_other = true
     end
-    if todays_batch_id.present?
-      @draft_vaccination_record.todays_batch =
-        policy_scope(Batch).find(todays_batch_id)
+
+    if (id = todays_batch_id).present?
+      @draft_vaccination_record.todays_batch = policy_scope(Batch).find_by(id:)
     end
   end
 

app/controllers/vaccinations_controller.rb

@@ -61,8 +61,8 @@ def create
          create_params.merge(performed_by: current_user)
        )
       session[:delivery_site_other] = "true" if delivery_site_param_other?
-      @draft_vaccination_record.todays_batch =
-        todays_batch_id if todays_batch_id.present?
+
+      @draft_vaccination_record.todays_batch = @todays_batch
 
       redirect_to session_patient_vaccinations_edit_path(
                     @session,

app/jobs/clinic_session_invitations_job.rb

@@ -6,49 +6,56 @@ class ClinicSessionInvitationsJob < ApplicationJob
   def perform
     return unless Flipper.enabled?(:scheduled_emails)
 
-    # TODO: when do we want to send these?
-    date = 3.weeks.from_now.to_date
-
-    patient_sessions =
-      PatientSession
+    sessions =
+      Session
+        .send_invitations
         .includes(
-          :consents,
-          patient: %i[session_notifications vaccination_records],
-          session: :programmes
+          :dates,
+          :programmes,
+          patient_sessions: %i[
+            consents
+            patient
+            session_notifications
+            vaccination_records
+          ]
         )
-        .joins(:location, :session)
+        .joins(:location)
         .merge(Location.clinic)
-        .merge(Session.has_date(date))
-        .notification_not_sent(date)
         .strict_loading
 
-    patient_sessions.each do |patient_session|
-      next unless should_send_notification?(patient_session:)
+    sessions.each do |session|
+      session_date = session.today_or_future_dates.first
 
-      patient = patient_session.patient
+      session.patient_sessions.each do |patient_session|
+        next unless should_send_notification?(patient_session:, session_date:)
 
-      type =
-        if patient.session_notifications.any? { _1.session_id == session.id }
-          :clinic_subsequent_invitation
-        else
-          :clinic_initial_invitation
-        end
+        type =
+          if patient_session.session_notifications.any?
+            :clinic_subsequent_invitation
+          else
+            :clinic_initial_invitation
+          end
 
-      SessionNotification.create_and_send!(
-        patient_session:,
-        session_date: date,
-        type:
-      )
+        SessionNotification.create_and_send!(
+          patient_session:,
+          session_date:,
+          type:
+        )
+      end
     end
   end
 
-  def should_send_notification?(patient_session:)
-    patient = patient_session.patient
-    programmes = patient_session.session.programmes
+  def should_send_notification?(patient_session:, session_date:)
+    return false unless patient_session.send_notifications?
+
+    return false if patient_session.vaccination_administered?
 
-    return false unless patient.send_notifications?
+    already_sent_notification =
+      patient_session.session_notifications.any? do
+        _1.session_date == session_date
+      end
 
-    return false if programmes.all? { patient.vaccinated?(_1) }
+    return false if already_sent_notification
 
     return false if patient_session.consent_refused?
 

app/jobs/concerns/merge_patients_concern.rb

@@ -16,10 +16,10 @@ def merge_patients!(patient_to_keep, patient_to_remove)
                )
            )
           patient_session.gillick_assessments.update_all(
-            patient_session: existing_patient_session
+            patient_session_id: existing_patient_session.id
           )
           patient_session.vaccination_records.update_all(
-            patient_session: existing_patient_session
+            patient_session_id: existing_patient_session.id
           )
         else
           patient_session.update!(patient: patient_to_keep)

app/jobs/consent_form_matching_job.rb

@@ -23,8 +23,8 @@ def perform(consent_form)
       return
     end
 
-    # Search in the scheduled session if not
-    session = consent_form.scheduled_session
+    # Search in the original scheduled session if not
+    session = consent_form.original_session
 
     patients = session.patients.match_existing(nhs_number: nil, **query)
 

app/jobs/school_session_reminders_job.rb

@@ -36,9 +36,7 @@ def perform
   end
 
   def should_send_notification?(patient_session:)
-    patient = patient_session.patient
-
-    return false unless patient.send_notifications?
+    return false unless patient_session.send_notifications?
 
     return false if patient_session.vaccination_administered?
 

app/lib/govuk_notify_personalisation.rb

@@ -23,7 +23,7 @@ def initialize(
       programme || vaccination_record&.programme || consent_form&.programme ||
         consent&.programme
     @session =
-      session || consent_form&.scheduled_session || patient_session&.session
+      session || consent_form&.original_session || patient_session&.session
     @team =
       session&.team || patient_session&.team || consent_form&.team ||
         consent&.team || vaccination_record&.team