Change ANDS handle minting interaction to use an Authorization header

Change ANDS Minting interaction to use an Authorization header instead of white-listed IP address secret-less requests
ardc-shorn · Jul 21, 2018 · dc92746 · dc92746
1 parent f8fae9d
commit dc92746
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 53 deletions.
diff --git a/.gitignore b/.gitignore
@@ -93,7 +93,7 @@ ENV/
 .ropeproject
 
 # Build Artifacts
-*.tmp
+tmp/
 artifacts/
 admin/deployment
 *template-out.yaml

diff --git a/README.md b/README.md
@@ -87,6 +87,7 @@ aws cloudformation deploy --template-file template-out.yaml \
 --stack-name RAiD --parameter-overrides \
 JwtSecret=YOUR_SECRET \
 AndsAppId=ANDS_APP_ID \
+AndsSecret=ANDS_SECRET \
 AndsSubnets=SUBNET_ID \
 AndsSecurityGroups=SECURITY_GROUP \
 ElasticsearchHost=ES_URL \

diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,5 @@
+boto3==1.4.4
+PyJWT==1.4.2
+requests==2.18.4
+boto==2.48.0
+pytz==2017.3
diff --git a/sam/template.yaml b/sam/template.yaml
@@ -13,7 +13,13 @@
 # aws cloudformation deploy \=
 # --template-file <path-to-file>/template-out.yaml \
 # --stack-name <STACK_NAME>  \
-# --parameter-overrides JwtSecret=<<jwt-secret>> AndsService=<<ands_service>> DemoAndsService=<<ands_service>> AndsAppId=<<app_id>> AndsSubnets=<<subnet1,subnet2>> AndsSecurityGroups=<<sg1,sg1>> ElasticsearchHost=<<....ap-southeast-2.es.amazonaws.com>>\
+# --parameter-overrides JwtSecret=<<jwt-secret>> \
+#       AndsService=<<ands_service>> \
+#       DemoAndsService=<<ands_service>> \
+#       AndsAppId=<<app_id>> \
+#       AndsSubnets=<<subnet1,subnet2>> \
+#       AndsSecurityGroups=<<sg1,sg1>> \
+#       ElasticsearchHost=<<....ap-southeast-2.es.amazonaws.com>> \
 # --capabilities CAPABILITY_IAM
 ---
 AWSTemplateFormatVersion: '2010-09-09'
@@ -49,12 +55,8 @@ Parameters:
     Type: String
   AndsAppId:
     Type: String
-  AndsSubnets:
-    Type: CommaDelimitedList
-    Description: "Comma seperated subnet ids that have access to ANDS handle minting service"
-  AndsSecurityGroups:
-    Type: CommaDelimitedList
-    Description: "Comma seperated security group ids that have inbound/outbound access to ANDS handle minting service"
+  AndsSecret:
+    Type: String
   ElasticsearchHost:
     Type: String
 Globals:
@@ -190,7 +192,7 @@ Resources:
   CustomAuthorizer:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.auth_handlers.custom_authorisation_handler
       Role: !GetAtt CustomAuthorizerRole.Arn
       Environment:
@@ -211,7 +213,7 @@ Resources:
   AuthenticateToken:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.auth_handlers.authenticate_token_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -235,7 +237,7 @@ Resources:
   GetRaidPublic:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_public_handlers.get_raid_public_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -253,7 +255,7 @@ Resources:
   RedirectRaidContentPath:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_public_handlers.redirect_raid_path_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -272,7 +274,7 @@ Resources:
   GetRaids:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_handlers.get_raids_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -293,15 +295,10 @@ Resources:
   CreateRaid:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_handlers.create_raid_handler
       Timeout: 30
       Role: !GetAtt CrudLambdaIAMRole.Arn
-      VpcConfig:
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Environment:
         Variables:
           ELASTICSEARCH_HOST: !Ref ElasticsearchHost
@@ -310,27 +307,28 @@ Resources:
           ANDS_SERVICE: !Ref AndsService
           DEMO_ANDS_SERVICE: !Ref DemoAndsService
           ANDS_APP_ID: !Ref AndsAppId
+          ANDS_SECRET: !Ref AndsSecret
           ASSOCIATION_DEMO_TABLE: !GetAtt RAiDDemoDB.Outputs.RAiDAssociationDB
           ASSOCIATION_TABLE: !GetAtt RAiDLiveDB.Outputs.RAiDAssociationDB
+      Tracing: Active
       Events:
         CreateRaidHandle:
           Type: Api
           Properties:
             RestApiId: !Ref ApiGatewayApi
             Path: /RAiD
             Method: POST
+        RunHotTimer:
+          Type: Schedule
+          Properties:
+            Schedule: rate(5 minutes)
   UpdateRaid:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_handlers.update_raid
       Timeout: 30
       Role: !GetAtt CrudLambdaIAMRole.Arn
-      VpcConfig:
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Environment:
         Variables:
           ELASTICSEARCH_HOST: !Ref ElasticsearchHost
@@ -341,17 +339,23 @@ Resources:
           ANDS_SERVICE: !Ref AndsService
           DEMO_ANDS_SERVICE: !Ref DemoAndsService
           ANDS_APP_ID: !Ref AndsAppId
+          ANDS_SECRET: !Ref AndsSecret
+      Tracing: Active
       Events:
         UpdateRaidHandle:
           Type: Api
           Properties:
             RestApiId: !Ref ApiGatewayApi
             Path: /RAiD/{raidId}
             Method: PUT
+        RunHotTimer:
+          Type: Schedule
+          Properties:
+            Schedule: rate(5 minutes)
   GetRaid:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.raid_handlers.get_raid_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -372,7 +376,7 @@ Resources:
   GetOwnerRaids:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.owner_handlers.get_owner_raids_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -393,7 +397,7 @@ Resources:
   UpdateRaidOwner:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.owner_handlers.update_raid_owner_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -414,7 +418,7 @@ Resources:
   GetProviders:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.provider_handlers.get_providers_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -430,7 +434,7 @@ Resources:
   GetRaidProviders:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.provider_handlers.get_raid_providers_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -450,7 +454,7 @@ Resources:
   CreateRaidProviderAssociation:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.provider_handlers.create_raid_provider_association_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -470,7 +474,7 @@ Resources:
   EndRaidProviderAssociation:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.provider_handlers.end_raid_provider_association_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -491,7 +495,7 @@ Resources:
   GetInstitutions:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.institution_handlers.get_institutions_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -507,7 +511,7 @@ Resources:
   GetRaidInstitutions:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.institution_handlers.get_raid_institutions_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -527,7 +531,7 @@ Resources:
   CreateRaidInstitutionAssociation:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.institution_handlers.create_raid_institution_association_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:
@@ -547,7 +551,7 @@ Resources:
   EndRaidInstitutionAssociation:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: ../src
+      CodeUri: ../build
       Handler: handlers.institution_handlers.end_raid_institution_association_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       Environment:

diff --git a/src/handlers/raid_handlers.py b/src/handlers/raid_handlers.py
@@ -14,7 +14,7 @@
 
 # Set Logging Level
 logger = logging.getLogger()
-logger.setLevel(logging.ERROR)
+logger.setLevel(logging.INFO)
 
 
 def get_raids_handler(event, context):
@@ -125,7 +125,13 @@ def create_raid_handler(event, context):
         elif environment == settings.LIVE_ENVIRONMENT:
             ands_url_path = "{}mint?type=URL&value={}".format(os.environ["ANDS_SERVICE"], raid_item['contentPath'])
 
-        ands_mint = ands_helpers.ands_handle_request(ands_url_path, os.environ["ANDS_APP_ID"], "raid", "raid.org.au")
+        ands_mint = ands_helpers.ands_handle_request(
+            ands_url_path,
+            os.environ["ANDS_APP_ID"],
+            "raid",
+            "raid.org.au",
+            os.environ["ANDS_SECRET"],
+        )
 
         ands_handle = ands_mint["handle"]
 
@@ -171,8 +177,8 @@ def create_raid_handler(event, context):
         return web_helpers.generate_web_body_response('500', {
             'message': "Unable to create a RAiD as ANDS was unable to mint the content path."}, event)
 
-    except:
-        logger.error('Unable to create RAiD: {}'.format(sys.exc_info()[0]))
+    except Exception as e:
+        logger.error('Unable to create RAiD: {}'.format(e))
         return web_helpers.generate_web_body_response('400', {
             'message': "Unable to perform request due to error. Please check structure of the body."}, event)
 
@@ -333,7 +339,13 @@ def update_raid(event, context):
                 ands_url_path = "{}modifyValueByIndex?handle={}&value={}&index={}".format(
                     os.environ["ANDS_SERVICE"], raid_item['handle'], new_content_path, raid_item['contentIndex'])
 
-            ands_mint = ands_helpers.ands_handle_request(ands_url_path, os.environ["ANDS_APP_ID"], "raid", "raid.org.au")
+            ands_mint = ands_helpers.ands_handle_request(
+                ands_url_path,
+                os.environ["ANDS_APP_ID"],
+                "raid",
+                "raid.org.au",
+                os.environ["ANDS_SECRET"],
+            )
 
             # Update content path and index
             update_response = raid_table.update_item(