ministryofjustice · renovate · Jul 21, 2024 · Jul 22, 2024 · Jul 22, 2024 · Jul 22, 2024
diff --git a/.github/workflows/_docker_build_scan_push.yml b/.github/workflows/_docker_build_scan_push.yml
@@ -92,7 +92,7 @@ jobs:
           provenance: false
 
       - name: Trivy scan
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: '${{ steps.docker_tags.outputs.semver_tag }}'
           severity: 'HIGH,CRITICAL'

diff --git a/.github/workflows/analysis-codeql.yml b/.github/workflows/analysis-codeql.yml
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.25.3
+      uses: github/codeql-action/init@v3.25.12
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.25.3
+      uses: github/codeql-action/autobuild@v3.25.12
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.25.3
+      uses: github/codeql-action/analyze@v3.25.12
diff --git a/.github/workflows/analysis-tfsec-to-github-security.yml b/.github/workflows/analysis-tfsec-to-github-security.yml
@@ -32,6 +32,6 @@ jobs:
         with:
           sarif_file: tfsec.sarif
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3.25.3
+        uses: github/codeql-action/upload-sarif@v3.25.12
         with:
           sarif_file: tfsec.sarif
diff --git a/docs/support_scripts/load_testing/go.mod b/docs/support_scripts/load_testing/go.mod
@@ -2,6 +2,6 @@ module load_testing
 
 go 1.20
 
-require github.com/aws/aws-sdk-go v1.52.2
+require github.com/aws/aws-sdk-go v1.54.20
 
 require github.com/jmespath/go-jmespath v0.4.0 // indirect
diff --git a/docs/support_scripts/load_testing/go.sum b/docs/support_scripts/load_testing/go.sum
@@ -2,6 +2,8 @@ github.com/aws/aws-sdk-go v1.44.281 h1:z/ptheJvINaIAsKXthxONM+toTKw2pxyk700Hfm6y
 github.com/aws/aws-sdk-go v1.44.281/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go v1.52.2 h1:l4g9wBXRBlvCtScvv4iLZCzLCtR7BFJcXOnOGQ20orw=
 github.com/aws/aws-sdk-go v1.52.2/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.54.20 h1:FZ2UcXya7bUkvkpf7TaPmiL7EubK0go1nlXGLRwEsoo=
+github.com/aws/aws-sdk-go v1.54.20/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=

diff --git a/docs/support_scripts/requests/go.mod b/docs/support_scripts/requests/go.mod
@@ -2,6 +2,6 @@ module api_request
 
 go 1.20
 
-require github.com/aws/aws-sdk-go v1.52.2
+require github.com/aws/aws-sdk-go v1.54.20
 
 require github.com/jmespath/go-jmespath v0.4.0 // indirect
diff --git a/docs/support_scripts/requests/go.sum b/docs/support_scripts/requests/go.sum
@@ -2,6 +2,8 @@ github.com/aws/aws-sdk-go v1.44.284 h1:Oc5Kubi43/VCkerlt3ZU3KpBju6BpNkoG3s7E8vj/
 github.com/aws/aws-sdk-go v1.44.284/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go v1.52.2 h1:l4g9wBXRBlvCtScvv4iLZCzLCtR7BFJcXOnOGQ20orw=
 github.com/aws/aws-sdk-go v1.52.2/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.54.20 h1:FZ2UcXya7bUkvkpf7TaPmiL7EubK0go1nlXGLRwEsoo=
+github.com/aws/aws-sdk-go v1.54.20/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=

diff --git a/integration_tests/v1/requirements.txt b/integration_tests/v1/requirements.txt
@@ -1,10 +1,10 @@
-pytest==8.2.0
+pytest==8.2.2
 pytest-env==1.1.3
 pytest-xdist==3.6.1
 pytest-html==4.1.1
 requests_aws4auth==1.2.3
-boto3==1.34.98
-jsonschema==4.22.0
-fakeredis==2.22.0
+boto3==1.34.145
+jsonschema==4.23.0
+fakeredis==2.23.3
 flask==3.0.3
-coverage==7.5.0
+coverage==7.6.0
diff --git a/lambda_functions/v1/functions/lpa/app/__init__.py b/lambda_functions/v1/functions/lpa/app/__init__.py
@@ -4,7 +4,7 @@
 
 from .api.resources import api as api_blueprint
 
-from opg_sirius_service.sirius_handler import SiriusService
+from .sirius_handler import SiriusService
 from .config import Config
 
 

diff --git a/lambda_functions/v1/functions/lpa/app/sirius_handler.py b/lambda_functions/v1/functions/lpa/app/sirius_handler.py
@@ -0,0 +1,276 @@
+import datetime
+import json
+from urllib.parse import urlencode, quote
+
+import boto3
+import jwt
+import localstack_client.session
+import requests
+from botocore.exceptions import ClientError
+
+import logging
+
+logger = logging
+
+
+class SiriusService:
+    def __init__(self, config_params, cache):
+        try:
+            self.cache = cache
+            self.use_cache = False
+            self.sirius_base_url = config_params.SIRIUS_BASE_URL
+            self.environment = config_params.ENVIRONMENT
+            self.session_data = config_params.SESSION_DATA
+            self.request_timeout = config_params.REQUEST_TIMEOUT
+            self.request_caching = (
+                config_params.REQUEST_CACHING if cache else "disabled"
+            )
+            self.request_caching_name = (
+                config_params.REQUEST_CACHE_NAME
+                if config_params.REQUEST_CACHE_NAME
+                else "default_sirius_cache"
+            )
+            self.request_caching_ttl = (
+                config_params.REQUEST_CACHING_TTL
+                if config_params.REQUEST_CACHING_TTL
+                else 48
+            )
+        except Exception as e:
+            raise Exception(f"Error loading config e: {e}")
+
+    def build_sirius_url(self, endpoint, url_params=None):
+        """
+        Builds the url for the endpoint from variables (probably saved in env vars)
+
+        Args:
+            base_url: URL of the Sirius server
+            api_route: path to public api
+            endpoint: endpoint
+        Returns:
+            string: url
+        """
+
+        base_url = self.sirius_base_url
+
+        sirius_url = f"{base_url}/{quote(endpoint)}"
+
+        if url_params:
+            encoded_params = urlencode(url_params)
+            url = f"{sirius_url}?{encoded_params}"
+        else:
+            url = sirius_url
+
+        return url
+
+    def _get_secret(self):
+        """
+        Gets and decrypts the JWT secret from AWS Secrets Manager for the chosen environment
+        This was c&p directly from AWS Secrets Manager...
+
+        Args:
+            environment: AWS environment name
+        Returns:
+            JWT secret
+        Raises:
+            ClientError
+        """
+
+        environment = self.environment
+        secret_name = f"{environment}/jwt-key"
+        region_name = "eu-west-1"
+
+        if environment == "local":  # pragma: no cover
+            logger.debug("Using local AWS Secrets Manager")  # pragma: no cover
+            current_session = localstack_client.session.Session()  # pragma: no cover
+
+        else:
+            current_session = boto3.session.Session()
+
+        client = current_session.client(
+            service_name="secretsmanager", region_name=region_name
+        )
+
+        try:
+            get_secret_value_response = client.get_secret_value(SecretId=secret_name)
+            secret = get_secret_value_response["SecretString"]
+        except ClientError as e:
+            raise Exception(f"Unable to get secret from Secrets Manager: {e}")
+
+        return secret
+
+    def _build_sirius_headers(self, content_type="application/json"):
+        """
+        Builds headers for Sirius request, including JWT auth
+
+        Args:
+            content_type: string, defaults to 'application/json'
+        Returns:
+            Header dictionary with content type and auth token
+        """
+
+        if not content_type:
+            content_type = "application/json"
+
+        session_data = self.session_data
+
+        encoded_jwt = jwt.encode(
+            {
+                "session-data": session_data,
+                "iat": datetime.datetime.utcnow(),
+                "exp": datetime.datetime.utcnow() + datetime.timedelta(seconds=3600),
+            },
+            self._get_secret(),
+            algorithm="HS256",
+        )
+
+        return {
+            "Content-Type": content_type,
+            "Authorization": "Bearer " + encoded_jwt,
+        }
+
+    def _handle_sirius_error(
+        self, error_code=None, error_message=None, error_details=None
+    ):
+        error_code = error_code if error_code else 500
+        error_message = (
+            error_message if error_message else "Unknown error talking to Sirius"
+        )
+
+        try:
+            error_details = error_details["detail"]
+
+        except (KeyError, TypeError):
+            error_details = (
+                str(error_details) if len(str(error_details)) > 0 else "None"
+            )
+
+        message = f"{error_message}, details: {str(error_details)}"
+        return error_code, message
+
+    def check_sirius_available(self):
+        healthcheck_url = f"{self.sirius_base_url}/api/health-check"
+        try:
+            return (
+                True
+                if requests.get(
+                    url=healthcheck_url, timeout=self.request_timeout
+                ).status_code
+                == 200
+                else False
+            )
+        except Exception as e:
+            logger.error(f"Sirius Unavailable: {e}")
+            return False
+
+    def check_cache_available(self):
+        try:
+            return self.cache.ping()
+        except Exception as e:
+            logger.error(f"Unable to connect to cache: {e}")
+            return False
+
+    def send_request_to_sirius(self, key, url, method, content_type=None, data=None):
+        cache_enabled = True if self.request_caching == "enabled" else False
+        self.use_cache = False
+        if self.check_sirius_available():
+            sirius_status_code, sirius_data = self._get_data_from_sirius(
+                url, method, content_type, data
+            )
+            logger.debug(f"sirius_status_code: {sirius_status_code}")
+            logger.debug(f"cache_enabled: {cache_enabled}")
+            logger.debug(f"method: {method}")
+            if cache_enabled and method == "GET":
+                if sirius_status_code == 200 or sirius_status_code == 410:
+                    logger.debug(f"Putting data in cache with key: {key}")
+                    self._put_sirius_data_in_cache(
+                        key=key, data=sirius_data, status=sirius_status_code
+                    )
+
+            return sirius_status_code, sirius_data
+        else:
+            if cache_enabled and method == "GET":
+                self.use_cache = True
+                logger.debug(f"Getting data from cache with key: {key}")
+                sirius_status_code, sirius_data = self._get_sirius_data_from_cache(
+                    key=key
+                )
+
+                return sirius_status_code, sirius_data
+            else:
+                sirius_status_code, sirius_data = self._handle_sirius_error(
+                    error_message="Unable to send request to Sirius",
+                    error_details="Sirius not available - cache not enabled or incorrect method for cache",
+                )
+                return sirius_status_code, sirius_data
+
+    def _get_data_from_sirius(self, url, method, content_type=None, data=None):
+        logger.debug("_get_data_from_sirius")
+        headers = self._build_sirius_headers(content_type)
+
+        try:
+            if method == "PUT":
+                r = requests.put(url=url, data=data, headers=headers)
+                return r.status_code, r.json()
+
+            elif method == "POST":
+                r = requests.post(url=url, data=data, headers=headers)
+                if r.status_code == 204:
+                    return r.status_code, ""
+
+                return r.status_code, r.json()
+            elif method == "GET":
+                r = requests.get(url=url, headers=headers, timeout=self.request_timeout)
+                return r.status_code, r.json()
+            else:
+                return self._handle_sirius_error(
+                    error_message="Unable to send request to Sirius",
+                    error_details=f"Method {method} not allowed on Sirius route",
+                )
+
+        except Exception as e:
+            return self._handle_sirius_error(
+                error_message="Unable to send request to Sirius", error_details=e
+            )
+
+    def _put_sirius_data_in_cache(self, key, data, status):
+        logger.debug("_put_sirius_data_in_cache")
+        cache_name = self.request_caching_name
+        cache_ref = f"{cache_name}-{key}"
+
+        cache_ttl_in_seconds = self.request_caching_ttl * 60 * 60
+
+        data = json.dumps(data)
+
+        try:
+            self.cache.set(
+                name=f"{cache_ref}-{status}", value=data, ex=cache_ttl_in_seconds
+            )
+            logger.debug(f"setting redis: {cache_ref}-{status}")
+        except Exception as e:
+            logger.error(f"Unable to set cache: {cache_ref}-{status}, error {e}")
+
+    def _get_sirius_data_from_cache(self, key):
+        cache_name = self.request_caching_name
+        cache_ref = f"{cache_name}-{key}"
+
+        try:
+            if self.cache.exists(f"{cache_ref}-200"):
+                logger.debug(f"found redis cache: {cache_ref}-200")
+                status_code = 200
+                result = self.cache.get(f"{cache_ref}-200")
+                result = json.loads(result)
+            elif self.cache.exists(f"{cache_ref}-410"):
+                logger.debug(f"found redis cache: {cache_ref}-410")
+                status_code = 410
+                result = self.cache.get(f"{cache_ref}-410")
+                result = json.loads(result)
+            else:
+                logger.debug(f"no-cache exists for: {cache_ref}-[200, 410]")
+                status_code = 500
+                result = None
+        except Exception as e:
+            logger.error(f"Unable to get from cache: {cache_ref}, error {e}")
+            status_code = 500
+            result = None
+
+        return status_code, result