validate campaignId

alexnuttall · alexnuttall · commit 526b0a069c9c · 2025-10-07T13:45:54.000+01:00
diff --git a/infrastructure/terraform/modules/backend-api/module_create_routing_config_lambda.tf b/infrastructure/terraform/modules/backend-api/module_create_routing_config_lambda.tf
@@ -65,4 +65,15 @@ data "aws_iam_policy_document" "create_routing_config_lambda_policy" {
       var.kms_key_arn
     ]
   }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+    ]
+
+    resources = [local.client_ssm_path_pattern]
+  }
 }
diff --git a/infrastructure/terraform/modules/backend-api/module_update_routing_config_lambda.tf b/infrastructure/terraform/modules/backend-api/module_update_routing_config_lambda.tf
@@ -65,4 +65,15 @@ data "aws_iam_policy_document" "update_routing_config_lambda_policy" {
       var.kms_key_arn
     ]
   }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+    ]
+
+    resources = [local.client_ssm_path_pattern]
+  }
 }
diff --git a/scripts/sandbox_auth.sh b/scripts/sandbox_auth.sh
@@ -47,7 +47,7 @@ if [[ "$get_user_command_exit_code" -ne 0 ]]; then
 
   client_config_param_name="$client_ssm_path_prefix/$notify_client_id"
 
-  client_config_param_value="{ "campaignId": "campaign", "features": { "proofing": true } }"
+  client_config_param_value='{ "campaignIds": ["campaign"], "features": { "proofing": true } }'
 
   if aws ssm get-parameter --name "$client_config_param_name" --with-decryption >/dev/null 2>&1; then
     echo "Client config parameter already exists: $client_config_param_name"
diff --git a/tests/test-team/helpers/auth/cognito-auth-helper.ts b/tests/test-team/helpers/auth/cognito-auth-helper.ts
@@ -34,6 +34,7 @@ type TestUserStaticDetails = {
 
 type TestUserDynamicDetails = {
   email: string;
+  campaignIds?: string[];
   clientId: string;
   password: string;
   clientName?: string;
@@ -261,6 +262,7 @@ export class CognitoAuthHelper {
     const clientConfig: ClientConfiguration | undefined =
       testClients[userDetails.clientKey];
     const clientName = clientConfig?.name;
+    const campaignIds = clientConfig?.campaignIds;
 
     const clientAttributes = [
       { Name: 'custom:sbx_client_id', Value: clientId },
@@ -319,6 +321,7 @@ export class CognitoAuthHelper {
         userId:
           user.User?.Attributes?.find((attr) => attr.Name === 'sub')?.Value ??
           '',
+        campaignIds,
         clientId: clientId,
         clientKey: userDetails.clientKey,
         clientName: clientName,
diff --git a/tests/test-team/helpers/factories/routing-config-factory.ts b/tests/test-team/helpers/factories/routing-config-factory.ts
@@ -7,14 +7,15 @@ import type {
   FactoryRoutingConfig,
   RoutingConfigDbEntry,
 } from '../../helpers/types';
+import { TestUser } from 'helpers/auth/cognito-auth-helper';
 
 export const RoutingConfigFactory = {
   create(
-    user: { userId: string; clientId: string },
+    user: TestUser,
     routingConfig: Partial<RoutingConfig> = {}
   ): FactoryRoutingConfig {
     const apiPayload: CreateUpdateRoutingConfig = {
-      campaignId: 'campaign-1',
+      campaignId: user.campaignIds?.[0] ?? 'campaign',
       cascade: [
         {
           cascadeGroups: ['standard'],
diff --git a/tests/test-team/template-mgmt-api-tests/create-routing-configuration.api.spec.ts b/tests/test-team/template-mgmt-api-tests/create-routing-configuration.api.spec.ts
@@ -130,6 +130,36 @@ test.describe('POST /v1/routing-configuration', () => {
     });
   });
 
+  test('returns 400 if campaignId is not available for the client', async ({
+    request,
+  }) => {
+    const campaignId = 'not_a_client_campaign';
+
+    const response = await request.post(
+      `${process.env.API_BASE_URL}/v1/routing-configuration`,
+      {
+        headers: {
+          Authorization: await user1.getAccessToken(),
+        },
+        data: RoutingConfigFactory.create(user1, {
+          campaignId,
+        }).apiPayload,
+      }
+    );
+
+    const dbgClientCampaigns = JSON.stringify(user1.campaignIds);
+    expect(user1.campaignIds?.includes(campaignId), dbgClientCampaigns).toBe(
+      false
+    );
+
+    expect(response.status()).toBe(400);
+
+    expect(await response.json()).toEqual({
+      statusCode: 400,
+      technicalMessage: 'Invalid campaign ID in request',
+    });
+  });
+
   test('ignores status if given - routing config cannot be completed at create time', async ({
     request,
   }) => {
diff --git a/tests/test-team/template-mgmt-api-tests/update-routing-config.api.spec.ts b/tests/test-team/template-mgmt-api-tests/update-routing-config.api.spec.ts
@@ -84,13 +84,16 @@ test.describe('PUT /v1/routing-configuration/:routingConfigId', () => {
   test('returns 404 if routing config exists but is owned by a different client', async ({
     request,
   }) => {
+    const { apiPayload, dbEntry } =
+      RoutingConfigFactory.create(userDifferentClient);
+
     const updateResponse = await request.put(
-      `${process.env.API_BASE_URL}/v1/routing-configuration/${routingConfigNoUpdates.dbEntry.id}`,
+      `${process.env.API_BASE_URL}/v1/routing-configuration/${dbEntry.id}`,
       {
         headers: {
           Authorization: await userDifferentClient.getAccessToken(),
         },
-        data: routingConfigNoUpdates.apiPayload,
+        data: apiPayload,
       }
     );
 
@@ -167,6 +170,36 @@ test.describe('PUT /v1/routing-configuration/:routingConfigId', () => {
     });
   });
 
+  test('returns 400 if campaignId is not available for the client', async ({
+    request,
+  }) => {
+    const campaignId = 'not_a_client_campaign';
+
+    const response = await request.put(
+      `${process.env.API_BASE_URL}/v1/routing-configuration/${routingConfigNoUpdates.dbEntry.id}`,
+      {
+        headers: {
+          Authorization: await user1.getAccessToken(),
+        },
+        data: RoutingConfigFactory.create(user1, {
+          campaignId,
+        }).apiPayload,
+      }
+    );
+
+    const dbgClientCampaigns = JSON.stringify(user1.campaignIds);
+    expect(user1.campaignIds?.includes(campaignId), dbgClientCampaigns).toBe(
+      false
+    );
+
+    expect(response.status()).toBe(400);
+
+    expect(await response.json()).toEqual({
+      statusCode: 400,
+      technicalMessage: 'Invalid campaign ID in request',
+    });
+  });
+
   test('returns 404 - cannot update a DELETED routing config', async ({
     request,
   }) => {
@@ -198,7 +231,7 @@ test.describe('PUT /v1/routing-configuration/:routingConfigId', () => {
   }) => {
     const update = {
       ...routingConfigSuccessfullyUpdate.apiPayload,
-      campaignId: 'new campaignId',
+      name: 'new name',
     };
 
     const updateResponse = await request.put(

Original file line number	Diff line number	Diff line change
`@@ -65,4 +65,15 @@ data "aws_iam_policy_document" "create_routing_config_lambda_policy" {`
`65`	`65`	`var.kms_key_arn`
`66`	`66`	`]`
`67`	`67`	`}`
	`68`	`+`
	`69`	`+ statement {`
	`70`	`+ sid = "AllowSSMParameterRead"`
	`71`	`+ effect = "Allow"`
	`72`	`+`
	`73`	`+ actions = [`
	`74`	`+ "ssm:GetParameter",`
	`75`	`+ ]`
	`76`	`+`
	`77`	`+ resources = [local.client_ssm_path_pattern]`
	`78`	`+ }`
`68`	`79`	`}`