Merge branch 'main' into ELI-623

TOEL2 · web-flow · commit 0f4da270227c · 2026-02-05T15:37:29.000Z
diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
@@ -203,7 +203,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         working-directory: ./infrastructure
         shell: bash
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
@@ -103,7 +103,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
@@ -90,7 +90,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
@@ -237,7 +237,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -400,6 +400,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ssm:ListTagsForResource",
           "ssm:PutParameter",
           "ssm:AddTagsToResource",
+          "ssm:DeleteParameter",
 
           # acm
           "acm:ListTagsForCertificate",
@@ -457,6 +458,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
+          "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/ptl/*",
+          "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/prod/*",
           "arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -193,6 +193,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
       "ssm:AddTagsToResource",
+      "ssm:DeleteParameter",
 
       # WAFv2 - web application firewall management
       "wafv2:CreateWebACL",
diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf
@@ -1,9 +1,14 @@
 resource "aws_ssm_parameter" "proxygen_private_key" {
-  count = var.environment == "dev" ? 1 : 0
-  name  = "/${var.environment}/proxygen/private_key"
-  type  = "SecureString"
+  for_each = var.environment == "dev" ? {
+    ptl  = { path = "/ptl/proxygen/private_key", value = var.PROXYGEN_PRIVATE_KEY_PTL }
+    prod = { path = "/prod/proxygen/private_key", value = var.PROXYGEN_PRIVATE_KEY_PROD }
+  } : {}
+
+  name   = each.value.path
+  type   = "SecureString"
   key_id = aws_kms_key.networking_ssm_key.id
-  value = var.PROXYGEN_PRIVATE_KEY
+  value  = each.value.value
+
   tier  = "Advanced"
 
   tags = {
diff --git a/infrastructure/stacks/networking/variables.tf b/infrastructure/stacks/networking/variables.tf
@@ -13,8 +13,13 @@ variable "API_PRIVATE_KEY_CERT" {
   description = "The private key for the signed Client Certificate"
   sensitive   = true
 }
-variable "PROXYGEN_PRIVATE_KEY" {
+variable "PROXYGEN_PRIVATE_KEY_PTL" {
   type        = string
-  description = "The private key for Proxygen authentication"
+  description = "The private key for Proxygen `PTL` environment authentication"
+  sensitive   = true
+}
+variable "PROXYGEN_PRIVATE_KEY_PROD" {
+  type        = string
+  description = "The private key for Proxygen `Prod` environment authentication"
   sensitive   = true
 }
diff --git a/src/eligibility_signposting_api/services/processors/derived_values/add_days_handler.py b/src/eligibility_signposting_api/services/processors/derived_values/add_days_handler.py
@@ -27,7 +27,6 @@ class AddDaysHandler(DerivedValueHandler):
 
     function_name: str = "ADD_DAYS"
 
-    # Mapping of derived attribute names to their source attributes
     DERIVED_ATTRIBUTE_SOURCES: ClassVar[dict[str, str]] = {
         "NEXT_DOSE_DUE": "LAST_SUCCESSFUL_DATE",
     }
@@ -62,7 +61,6 @@ def get_source_attribute(self, target_attribute: str, function_args: str | None
             The source attribute name (e.g., 'LAST_SUCCESSFUL_DATE')
         """
         if function_args and "," in function_args:
-            # Extract source from args if present (second argument)
             parts = [p.strip() for p in function_args.split(",")]
             if len(parts) > 1 and parts[1]:
                 return parts[1].upper()
@@ -98,6 +96,9 @@ def calculate(self, context: DerivedValueContext) -> str:
     def _find_source_date(self, context: DerivedValueContext) -> str | None:
         """Find the source date value from person data.
 
+        For PERSON/COHORT-level attributes, looks for ATTRIBUTE_TYPE == attribute_level.
+        For TARGET-level attributes, looks for ATTRIBUTE_TYPE == context.attribute_name (e.g., "COVID").
+
         Args:
             context: The derived value context
 
@@ -108,8 +109,13 @@ def _find_source_date(self, context: DerivedValueContext) -> str | None:
         if not source_attr:
             return None
 
+        if context.attribute_level in ("PERSON", "COHORT"):
+            attribute_type_to_match = context.attribute_level
+        else:
+            attribute_type_to_match = context.attribute_name
+
         for attribute in context.person_data:
-            if attribute.get("ATTRIBUTE_TYPE") == context.attribute_name:
+            if attribute.get("ATTRIBUTE_TYPE") == attribute_type_to_match:
                 return attribute.get(source_attr)
 
         return None
@@ -128,7 +134,6 @@ def _get_days_to_add(self, context: DerivedValueContext) -> int:
         Returns:
             Number of days to add
         """
-        # Priority 1: Token argument (if non-empty)
         if context.function_args:
             args = context.function_args.split(",")[0].strip()
             if args:
@@ -138,11 +143,9 @@ def _get_days_to_add(self, context: DerivedValueContext) -> int:
                     message = f"Invalid days argument '{args}' for ADD_DAYS function. Expected an integer."
                     raise ValueError(message) from e
 
-        # Priority 2: Vaccine-specific configuration
         if context.attribute_name in self.vaccine_type_days:
             return self.vaccine_type_days[context.attribute_name]
 
-        # Priority 3: Default
         return self.default_days
 
     def _add_days_to_date(self, date_str: str, days: int) -> datetime:
diff --git a/src/eligibility_signposting_api/services/processors/derived_values/base.py b/src/eligibility_signposting_api/services/processors/derived_values/base.py
@@ -9,17 +9,20 @@ class DerivedValueContext:
 
     Attributes:
         person_data: List of person attribute dictionaries
-        attribute_name: The condition/vaccine type (e.g., 'COVID', 'RSV')
+        attribute_name: The condition/vaccine type (e.g., 'COVID', 'RSV') or person/cohort attribute
+                        (e.g., 'DATE_OF_BIRTH')
         source_attribute: The source attribute to derive from (e.g., 'LAST_SUCCESSFUL_DATE')
         function_args: Arguments passed to the function (e.g., number of days)
         date_format: Optional date format string for output formatting
+        attribute_level: The level of the attribute ('TARGET', 'PERSON' or 'COHORT')
     """
 
     person_data: list[dict[str, Any]]
     attribute_name: str
     source_attribute: str | None
     function_args: str | None
     date_format: str | None
+    attribute_level: str = "TARGET"
 
 
 class DerivedValueHandler(ABC):
diff --git a/src/eligibility_signposting_api/services/processors/token_processor.py b/src/eligibility_signposting_api/services/processors/token_processor.py
@@ -90,15 +90,15 @@ def get_token_replacement(token: str, person_data: list[dict], present_attribute
         if TokenProcessor.should_replace_with_empty(parsed_token, present_attributes):
             return ""
 
-        # Check if this is a derived value (has a function like ADD_DAYS)
         if parsed_token.function_name:
             return TokenProcessor.get_derived_value(parsed_token, person_data, present_attributes, token)
 
+        TokenProcessor.validate_target_attribute(parsed_token, token)
+
         found_attribute, key_to_replace = TokenProcessor.find_matching_attribute(parsed_token, person_data)
 
         if not found_attribute or not key_to_replace:
             TokenProcessor.handle_token_not_found(parsed_token, token)
-            # handle_token_not_found always raises, but the type checker needs help
             msg = "Unreachable"
             raise RuntimeError(msg)  # pragma: no cover
 
@@ -113,6 +113,11 @@ def get_derived_value(
     ) -> str:
         """Calculate a derived value using the registered handler.
 
+        For TARGET level tokens, validates that the condition is allowed before processing.
+        If the vaccine type is not in person data, returns an empty string.
+        For derived values, any target attribute name is allowed (e.g., NEXT_BOOKING_AVAILABLE)
+        since it's just a placeholder that may be surfaced in the future.
+
         Args:
             parsed_token: The parsed token containing function information
             person_data: List of person attribute dictionaries
@@ -136,20 +141,14 @@ def get_derived_value(
             message = f"Unknown function '{function_name}' in token '{token}'."
             raise ValueError(message)
 
-        # For TARGET level tokens, validate the condition is allowed
         if parsed_token.attribute_level == TARGET_ATTRIBUTE_LEVEL:
             is_allowed_condition = parsed_token.attribute_name in ALLOWED_CONDITIONS.__args__
-            is_allowed_target_attr = parsed_token.attribute_value in ALLOWED_TARGET_ATTRIBUTES
 
-            # If condition is not allowed, raise error
             if not is_allowed_condition:
                 TokenProcessor.handle_token_not_found(parsed_token, token)
 
-            # If vaccine type is not in person data but is allowed, return empty
             if parsed_token.attribute_name not in present_attributes:
-                if is_allowed_target_attr:
-                    return ""
-                TokenProcessor.handle_token_not_found(parsed_token, token)
+                return ""
 
         try:
             target_attribute = parsed_token.attribute_value or parsed_token.attribute_name
@@ -165,14 +164,14 @@ def get_derived_value(
                 source_attribute=source_attribute,
                 function_args=parsed_token.function_args,
                 date_format=parsed_token.format,
+                attribute_level=parsed_token.attribute_level,
             )
 
             return registry.calculate(
                 function_name=function_name,
                 context=context,
             )
         except ValueError as e:
-            # Re-raise with more context
             message = f"Error calculating derived value for token '{token}': {e}"
             raise ValueError(message) from e
 
@@ -185,6 +184,26 @@ def should_replace_with_empty(parsed_token: ParsedToken, present_attributes: set
 
         return all([is_target_level, is_allowed_condition, is_allowed_target_attr, is_attr_not_present])
 
+    @staticmethod
+    def validate_target_attribute(parsed_token: ParsedToken, token: str) -> None:
+        """Validate that target attribute is allowed for non-derived tokens.
+
+        For regular (non-derived) tokens, only allow known target attributes.
+        Derived values with functions can use any custom target attribute name.
+
+        Args:
+            parsed_token: The parsed token to validate
+            token: The original token string for error messages
+
+        Raises:
+            ValueError: If the target attribute is not in ALLOWED_TARGET_ATTRIBUTES
+        """
+        if (
+            parsed_token.attribute_level == TARGET_ATTRIBUTE_LEVEL
+            and parsed_token.attribute_value not in ALLOWED_TARGET_ATTRIBUTES
+        ):
+            TokenProcessor.handle_token_not_found(parsed_token, token)
+
     @staticmethod
     def find_matching_attribute(parsed_token: ParsedToken, person_data: list[dict]) -> tuple[dict | None, str | None]:
         attribute_level_map = {
diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py
@@ -1162,6 +1162,48 @@ def campaign_config_with_multiple_add_days(
     s3_client.delete_object(Bucket=rules_bucket, Key=f"{campaign.name}.json")
 
 
+@pytest.fixture
+def campaign_config_with_custom_target_attributes(
+    s3_client: BaseClient, rules_bucket: BucketName
+) -> Generator[CampaignConfig]:
+    """Campaign config with custom target attribute names for derived values."""
+    campaign: CampaignConfig = rule.CampaignConfigFactory.build(
+        target="COVID",
+        iterations=[
+            rule.IterationFactory.build(
+                default_comms_routing="CUSTOM_BOOKING_DATE",
+                actions_mapper=rule.ActionsMapperFactory.build(
+                    root={
+                        "CUSTOM_BOOKING_DATE": AvailableAction(
+                            ActionType="DataValue",
+                            ExternalRoutingCode="NextBookingAvailable",
+                            ActionDescription=(
+                                "[[TARGET.COVID.NEXT_BOOKING_AVAILABLE:ADD_DAYS(71, LAST_SUCCESSFUL_DATE):"
+                                "DATE(%d %B %Y)]]"
+                            ),
+                        ),
+                    }
+                ),
+                iteration_rules=[],
+                iteration_cohorts=[
+                    rule.IterationCohortFactory.build(
+                        cohort_label="cohort_label1",
+                        cohort_group="cohort_group1",
+                        positive_description="Positive Description",
+                        negative_description="Negative Description",
+                    )
+                ],
+            )
+        ],
+    )
+    campaign_data = {"CampaignConfig": campaign.model_dump(by_alias=True)}
+    s3_client.put_object(
+        Bucket=rules_bucket, Key=f"{campaign.name}.json", Body=json.dumps(campaign_data), ContentType="application/json"
+    )
+    yield campaign
+    s3_client.delete_object(Bucket=rules_bucket, Key=f"{campaign.name}.json")
+
+
 @pytest.fixture(scope="class")
 def multiple_campaign_configs(s3_client: BaseClient, rules_bucket: BucketName) -> Generator[list[CampaignConfig]]:
     """Create and upload multiple campaign configs to S3, then clean up after tests."""
@@ -1521,6 +1563,20 @@ def consumer_to_active_campaign_config_with_multiple_add_days_mapping(
     s3_client.delete_object(Bucket=consumer_mapping_bucket, Key="consumer_mapping.json")
 
 
+@pytest.fixture
+def consumer_to_active_campaign_config_with_custom_target_attributes_mapping(
+    s3_client: BaseClient,
+    consumer_mapping_bucket: ConsumerMapping,
+    campaign_config_with_custom_target_attributes: CampaignConfig,
+    consumer_id: ConsumerId,
+):
+    consumer_mapping = create_and_put_consumer_mapping_in_s3(
+        campaign_config_with_custom_target_attributes, consumer_id, consumer_mapping_bucket, s3_client
+    )
+    yield consumer_mapping
+    s3_client.delete_object(Bucket=consumer_mapping_bucket, Key="consumer_mapping.json")
+
+
 @pytest.fixture
 def consumer_to_campaign_having_inactive_iteration_mapping(
     s3_client: BaseClient,
diff --git a/tests/integration/in_process/test_derived_values.py b/tests/integration/in_process/test_derived_values.py
diff --git a/tests/unit/services/processors/test_derived_values.py b/tests/unit/services/processors/test_derived_values.py
diff --git a/tests/unit/services/processors/test_token_parser.py b/tests/unit/services/processors/test_token_parser.py
diff --git a/tests/unit/services/processors/test_token_processor.py b/tests/unit/services/processors/test_token_processor.py
diff --git a/tests/unit/services/processors/test_token_processor_derived.py b/tests/unit/services/processors/test_token_processor_derived.py
