ELI-578 nhsd app id (temp consumer identifier) - campaign mapping (#504)

* ELI-578 consumer_id - campaign_config mapping

* ELI-578 added dummy consumer id

* ELI-578 local stack configuration

* ELI-578 wip test

* ELI-578 unit test fixed

* ELI-578 consumer_id error validation

* ELI-578 intergation testing

* ELI-578 lambda

* ELI-578 integration test

* ELI-578 Integration test to check if consumer has campaign mappings

* ELI-578 Unit tests

* added test : customer requesting for campaign that is not mapped

* consumer with no campaign mapping is valid

* ELI-578 consumer_id - campaign_config mapping

* ELI-578 added dummy consumer id

* ELI-578 local stack configuration

* ELI-578 wip test

* ELI-578 unit test fixed

* ELI-578 consumer_id error validation

* ELI-578 intergation testing

* ELI-578 lambda

* ELI-578 integration test

* ELI-578 Integration test to check if consumer has campaign mappings

* ELI-578 Unit tests

* added test : customer requesting for campaign that is not mapped

* consumer with no campaign mapping is valid

* revert

* linting

* removed unused code

* added CONSUMER_ID_NOT_PROVIDED_ERROR back

* more test cases

* hardcodes values are converted to fixtures

* fixtures

* fixtures

* linting

* more scenarios

* added consumer-id header to the requests in unit tests

* linting

* Added vacc request placeholder in tests.

* fixed linting.

* added sample consumer-mapping file

* test_valid_response_when_consumer_has_a_valid_campaign_config_mapping parameterise are categorised

* multiple campaigns for same target

* multiple campaigns for same target

* consumer config structure modification

* lint fix

* consumer mapping - schema

* Terraform consumer mapping bucket

* Terraform consumer mapping bucket policy

* more linting

* fix s3

* fix s3

* revert to S3ReadAccess

* iam permissions

* more tests

* name correction

* one more test scenario

* one more test scenario

* added comments

* test case - check best status is picked from the iterations

* test cases fixed

* fix lambda test case

* fix lambda test case

* fix latest testcases without consumer mapping

* removed unsued conftest

* renamed conftests

* fixed comment

* no reference  to CONSUMER_ID in constant in tests

* integration tests

* integration tests

* checkov suggestions

* checkov suggestions

* Revert "checkov suggestions"

This reverts commit 37c919d.

* Revert "checkov suggestions"

This reverts commit d681b59.

* revert - checkov suggestions

* checkov skips

* checkov skips

* renamed "Campaign" to CampaignConfigId"

* "CampaignConfigID" is the campaign id in consumer mapping

---------

Co-authored-by: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com>

Author: Karthikeyannhs

infrastructure/modules/lambda/lambda.tf

@@ -17,14 +17,15 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   environment {
     variables = {
-      PERSON_TABLE_NAME          = var.eligibility_status_table_name,
-      RULES_BUCKET_NAME          = var.eligibility_rules_bucket_name,
-      KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
-      ENV                        = var.environment
-      LOG_LEVEL                  = var.log_level
-      ENABLE_XRAY_PATCHING       = var.enable_xray_patching
-      API_DOMAIN_NAME            = var.api_domain_name
-      HASHING_SECRET_NAME        = var.hashing_secret_name
+      PERSON_TABLE_NAME            = var.eligibility_status_table_name,
+      RULES_BUCKET_NAME            = var.eligibility_rules_bucket_name,
+      CONSUMER_MAPPING_BUCKET_NAME = var.eligibility_consumer_mappings_bucket_name,
+      KINESIS_AUDIT_STREAM_TO_S3   = var.kinesis_audit_stream_to_s3_name
+      ENV                          = var.environment
+      LOG_LEVEL                    = var.log_level
+      ENABLE_XRAY_PATCHING         = var.enable_xray_patching
+      API_DOMAIN_NAME              = var.api_domain_name
+      HASHING_SECRET_NAME          = var.hashing_secret_name
     }
   }
 

infrastructure/modules/lambda/variables.tf

@@ -44,6 +44,11 @@ variable "eligibility_rules_bucket_name" {
   type        = string
 }
 
+variable "eligibility_consumer_mappings_bucket_name" {
+  description = "consumer mappings bucket name"
+  type        = string
+}
+
 variable "eligibility_status_table_name" {
   description = "eligibility datastore table name"
   type        = string

infrastructure/stacks/api-layer/iam_policies.tf

@@ -104,6 +104,60 @@ data "aws_iam_policy_document" "rules_s3_bucket_policy" {
   }
 }
 
+# Policy doc for S3 Consumer Mappings bucket
+data "aws_iam_policy_document" "s3_consumer_mapping_bucket_policy" {
+  statement {
+    sid = "AllowSSLRequestsOnly"
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      module.s3_consumer_mappings_bucket.storage_bucket_arn,
+      "${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
+    ]
+    condition {
+      test     = "Bool"
+      values = ["true"]
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# ensure only secure transport is allowed
+
+resource "aws_s3_bucket_policy" "consumer_mapping_s3_bucket" {
+  bucket = module.s3_consumer_mappings_bucket.storage_bucket_id
+  policy = data.aws_iam_policy_document.consumer_mapping_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "consumer_mapping_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      module.s3_consumer_mappings_bucket.storage_bucket_arn,
+      "${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
+    ]
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# audit bucket
 resource "aws_s3_bucket_policy" "audit_s3_bucket" {
   bucket = module.s3_audit_bucket.storage_bucket_id
   policy = data.aws_iam_policy_document.audit_s3_bucket_policy.json
@@ -136,12 +190,18 @@ data "aws_iam_policy_document" "audit_s3_bucket_policy" {
 }
 
 # Attach s3 read policy to Lambda role
-resource "aws_iam_role_policy" "lambda_s3_read_policy" {
+resource "aws_iam_role_policy" "lambda_s3_rules_read_policy" {
   name   = "S3ReadAccess"
   role   = aws_iam_role.eligibility_lambda_role.id
   policy = data.aws_iam_policy_document.s3_rules_bucket_policy.json
 }
 
+resource "aws_iam_role_policy" "lambda_s3_mapping_read_policy" {
+  name   = "S3ConsumerMappingReadAccess"
+  role   = aws_iam_role.eligibility_lambda_role.id
+  policy = data.aws_iam_policy_document.s3_consumer_mapping_bucket_policy.json
+}
+
 # Attach s3 write policy to kinesis firehose role
 resource "aws_iam_role_policy" "kinesis_firehose_s3_write_policy" {
   name   = "S3WriteAccess"
@@ -290,6 +350,41 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
   policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
 }
 
+data "aws_iam_policy_document" "s3_consumer_mapping_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = ["kms:*"]
+    resources = ["*"]
+  }
+
+  #checkov:skip=CKV_AWS_111: Permission boundary enforces restrictions for this policy
+  #checkov:skip=CKV_AWS_356: Permission boundary enforces resource-level controls
+  #checkov:skip=CKV_AWS_109: Permission boundary governs write-access constraints
+  statement {
+    sid    = "AllowLambdaDecrypt"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions = ["kms:Decrypt"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key_policy" "s3_consumer_mapping_kms_key" {
+  key_id = module.s3_consumer_mappings_bucket.storage_bucket_kms_key_id
+  policy = data.aws_iam_policy_document.s3_consumer_mapping_kms_key_policy.json
+}
+
 resource "aws_iam_role_policy" "splunk_firehose_policy" {
   #checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
   #checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams

infrastructure/stacks/api-layer/lambda.tf

@@ -11,27 +11,28 @@ data "aws_subnet" "private_subnets" {
 }
 
 module "eligibility_signposting_lambda_function" {
-  source                            = "../../modules/lambda"
-  eligibility_lambda_role_arn       = aws_iam_role.eligibility_lambda_role.arn
-  eligibility_lambda_role_name      = aws_iam_role.eligibility_lambda_role.name
-  workspace                         = local.workspace
-  environment                       = var.environment
-  runtime                           = "python3.13"
-  lambda_func_name                  = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
+  source                                    = "../../modules/lambda"
+  eligibility_lambda_role_arn               = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name              = aws_iam_role.eligibility_lambda_role.name
+  workspace                                 = local.workspace
+  environment                               = var.environment
+  runtime                                   = "python3.13"
+  lambda_func_name                          = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
   security_group_ids = [data.aws_security_group.main_sg.id]
-  vpc_intra_subnets                 = [for v in data.aws_subnet.private_subnets : v.id]
-  file_name                         = "../../../dist/lambda.zip"
-  handler                           = "eligibility_signposting_api.app.lambda_handler"
-  eligibility_rules_bucket_name     = module.s3_rules_bucket.storage_bucket_name
-  eligibility_status_table_name     = module.eligibility_status_table.table_name
-  kinesis_audit_stream_to_s3_name   = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
-  hashing_secret_name               = module.secrets_manager.aws_hashing_secret_name
-  lambda_insights_extension_version = 38
-  log_level                         = "INFO"
-  enable_xray_patching              = "true"
-  stack_name                        = local.stack_name
-  provisioned_concurrency_count     = 5
-  api_domain_name                   = local.api_domain_name
+  vpc_intra_subnets                         = [for v in data.aws_subnet.private_subnets : v.id]
+  file_name                                 = "../../../dist/lambda.zip"
+  handler                                   = "eligibility_signposting_api.app.lambda_handler"
+  eligibility_rules_bucket_name             = module.s3_rules_bucket.storage_bucket_name
+  eligibility_consumer_mappings_bucket_name = module.s3_consumer_mappings_bucket.storage_bucket_name
+  eligibility_status_table_name             = module.eligibility_status_table.table_name
+  kinesis_audit_stream_to_s3_name           = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
+  hashing_secret_name                       = module.secrets_manager.aws_hashing_secret_name
+  lambda_insights_extension_version         = 38
+  log_level                                 = "INFO"
+  enable_xray_patching                      = "true"
+  stack_name                                = local.stack_name
+  provisioned_concurrency_count             = 5
+  api_domain_name                           = local.api_domain_name
 }
 
 # -----------------------------------------------------------------------------

infrastructure/stacks/api-layer/s3_buckets.tf

@@ -7,6 +7,15 @@ module "s3_rules_bucket" {
   workspace    = terraform.workspace
 }
 
+module "s3_consumer_mappings_bucket" {
+  source       = "../../modules/s3"
+  bucket_name  = "eli-consumer-map"
+  environment  = var.environment
+  project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
+}
+
 module "s3_audit_bucket" {
   source                 = "../../modules/s3"
   bucket_name            = "eli-audit"

src/eligibility_signposting_api/common/api_error_response.py

@@ -135,3 +135,11 @@ def log_and_generate_response(
     fhir_error_code=FHIRSpineErrorCode.ACCESS_DENIED,
     fhir_display_message="Access has been denied to process this request.",
 )
+
+CONSUMER_ID_NOT_PROVIDED_ERROR = APIErrorResponse(
+    status_code=HTTPStatus.FORBIDDEN,
+    fhir_issue_code=FHIRIssueCode.FORBIDDEN,
+    fhir_issue_severity=FHIRIssueSeverity.ERROR,
+    fhir_error_code=FHIRSpineErrorCode.ACCESS_DENIED,
+    fhir_display_message="Access has been denied to process this request.",
+)

src/eligibility_signposting_api/common/request_validator.py

@@ -7,12 +7,13 @@
 from flask.typing import ResponseReturnValue
 
 from eligibility_signposting_api.common.api_error_response import (
+    CONSUMER_ID_NOT_PROVIDED_ERROR,
     INVALID_CATEGORY_ERROR,
     INVALID_CONDITION_FORMAT_ERROR,
     INVALID_INCLUDE_ACTIONS_ERROR,
     NHS_NUMBER_ERROR,
 )
-from eligibility_signposting_api.config.constants import NHS_NUMBER_HEADER
+from eligibility_signposting_api.config.constants import CONSUMER_ID, NHS_NUMBER_HEADER
 
 logger = logging.getLogger(__name__)
 
@@ -50,6 +51,13 @@ def validate_request_params() -> Callable:
     def decorator(func: Callable) -> Callable:
         @wraps(func)
         def wrapper(*args, **kwargs) -> ResponseReturnValue:  # noqa:ANN002,ANN003
+            consumer_id = request.headers.get(CONSUMER_ID)
+            if not consumer_id:
+                message = "You are not authorised to request"
+                return CONSUMER_ID_NOT_PROVIDED_ERROR.log_and_generate_response(
+                    log_message=message, diagnostics=message
+                )
+
             path_nhs_number = str(kwargs.get("nhs_number")) if kwargs.get("nhs_number") else None
 
             if not path_nhs_number:

src/eligibility_signposting_api/config/config.py

@@ -22,6 +22,7 @@
 def config() -> dict[str, Any]:
     person_table_name = TableName(os.getenv("PERSON_TABLE_NAME", "test_eligibility_datastore"))
     rules_bucket_name = BucketName(os.getenv("RULES_BUCKET_NAME", "test-rules-bucket"))
+    consumer_mapping_bucket_name = BucketName(os.getenv("CONSUMER_MAPPING_BUCKET_NAME", "test-consumer-mapping-bucket"))
     audit_bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
     hashing_secret_name = HashSecretName(os.getenv("HASHING_SECRET_NAME", "test_secret"))
     aws_default_region = AwsRegion(os.getenv("AWS_DEFAULT_REGION", "eu-west-1"))
@@ -41,6 +42,7 @@ def config() -> dict[str, Any]:
             "s3_endpoint": None,
             "rules_bucket_name": rules_bucket_name,
             "audit_bucket_name": audit_bucket_name,
+            "consumer_mapping_bucket_name": consumer_mapping_bucket_name,
             "firehose_endpoint": None,
             "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
             "enable_xray_patching": enable_xray_patching,
@@ -59,6 +61,7 @@ def config() -> dict[str, Any]:
         "s3_endpoint": URL(os.getenv("S3_ENDPOINT", local_stack_endpoint)),
         "rules_bucket_name": rules_bucket_name,
         "audit_bucket_name": audit_bucket_name,
+        "consumer_mapping_bucket_name": consumer_mapping_bucket_name,
         "firehose_endpoint": URL(os.getenv("FIREHOSE_ENDPOINT", local_stack_endpoint)),
         "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
         "enable_xray_patching": enable_xray_patching,

src/eligibility_signposting_api/config/constants.py

@@ -3,4 +3,5 @@
 URL_PREFIX = "patient-check"
 RULE_STOP_DEFAULT = False
 NHS_NUMBER_HEADER = "nhs-login-nhs-number"
+CONSUMER_ID = "nhsd-application-id"  # "Nhsd-Application-Id"
 ALLOWED_CONDITIONS = Literal["COVID", "FLU", "MMR", "RSV"]

src/eligibility_signposting_api/model/consumer_mapping.py

@@ -0,0 +1,17 @@
+from typing import NewType
+
+from pydantic import BaseModel, Field, RootModel
+
+from eligibility_signposting_api.model.campaign_config import CampaignID
+
+ConsumerId = NewType("ConsumerId", str)
+
+
+class ConsumerCampaign(BaseModel):
+    campaign_config_id: CampaignID = Field(alias="CampaignConfigID")
+    description: str | None = Field(default=None, alias="Description")
+
+
+class ConsumerMapping(RootModel[dict[ConsumerId, list[ConsumerCampaign]]]):
+    def get(self, key: ConsumerId, default: list[ConsumerCampaign] | None = None) -> list[ConsumerCampaign] | None:
+        return self.root.get(key, default)