Conversation
|
✅ Trivy gate: no Critical/High vulnerabilities. Trivy Filesystem Scan SummaryFilesystem: /tmp/artifact
✅ No vulnerabilities found. |
MohammadPatelNHS
changed the title
MohammadPatelNHS
force-pushed
the
feature/CDAPI-78-w-infra
branch
3 times, most recently
from
7595562 to
a9f2f2f
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
MohammadPatelNHS
force-pushed
the
feature/CDAPI-78-w-infra
branch
from
a9f2f2f to
ae7f964
Compare
MohammadPatelNHS
force-pushed
the
feature/CDAPI-78-w-infra
branch
13 times, most recently
from
9054c38 to
62ba4bc
Compare
MohammadPatelNHS
force-pushed
the
feature/CDAPI-78-w-infra
branch
3 times, most recently
from
1732712 to
6c8de20
Compare
|
Deployment Complete
|
nhsd-jack-wainwright
left a comment
nhsd-jack-wainwright
left a comment
There was a problem hiding this comment.
LGTM 👍, just some minor comments
| @@ -37,9 +43,15 @@ | |||
| def forward_request(path_params): | |||
| app.logger.info("received request with data: %s", request.get_data(as_text=True)) | |||
There was a problem hiding this comment.
Not to do with your changes. But given your updating this file as part of your changes would you mind removing this log line here, as this leads to a sonar issue due to us logging user provided text.
There was a problem hiding this comment.
removed this now
| app.logger.info("received request with data: %s", request.get_data(as_text=True)) | ||
|
|
||
| if TARGET_CONTAINER == "MOCKS": | ||
| base_url = "http://mocks:8080" # NOSONAR python:S5332 |
There was a problem hiding this comment.
I think it would be cleaner here if the URL to forward traffic was provided as an environment variable rather than being dependent on the type of TARGET_CONTAINER.
There was a problem hiding this comment.
I've updated this now
|
|
||
| if TARGET_CONTAINER == "MOCKS": | ||
| base_url = "http://mocks:8080" # NOSONAR python:S5332 | ||
| content_type = "application/x-www-form-urlencoded" |
There was a problem hiding this comment.
Should the content type be different here locally for the mocks? I think the request provided to the lambda will always be JSON from API gateway even if the request from the client is different?
There was a problem hiding this comment.
I was testing to see if it mattered for how the data is received, Ive just set it to be JSON now
| @@ -0,0 +1,20 @@ | |||
| import logging.config | |||
|
|
|||
| logging.config.dictConfig( | |||
There was a problem hiding this comment.
Rather than using the standard python logging library, does it make more sense to use the AWS lambda powertools logger like we are with the main pathology lambda?
|
|
||
|
|
||
| def check_authenticated(token: str) -> bool: | ||
| dynamodb = boto3.resource("dynamodb") |
There was a problem hiding this comment.
Very minor, but could this dynamodb client be moved out of this method just into the file to allow for the client to be reused across multiple authentication checks?
There was a problem hiding this comment.
I was planning a larger change to how we interact with aws resources in the PDM mock, ive left this as is for now but can be changed before merging if we dont want to wait Improvements in the PDM mock
| ), | ||
| ], | ||
| ) | ||
| def test_invalid_payload(self, payload: dict[str, Any], error_message: str) -> None: |
There was a problem hiding this comment.
I wonder if it would be cleaner if these tests were executed against the public handle_request method? Mainly incase the private methods underneath the handle_request method are updated in the future.
Makefile
Outdated
| @mkdir -p infrastructure/images/pathology-api/resources/build | ||
| @cp -r pathology-api/target/pathology-api infrastructure/images/pathology-api/resources/build | ||
|
|
||
| @mkdir infrastructure/images/mocks/resources/build/ |
There was a problem hiding this comment.
I think this logic should be updated to rely on just the mocks target directory, rather than unzipping the artifact.zip file.
There was a problem hiding this comment.
changed this to be the same as the pathology-api lambda now
Makefile
Outdated
| $(docker) run --platform linux/amd64 --name pathology-api -p 5001:8080 --network $(dockerNetwork) -d localhost/pathology-api-image | ||
| $(docker) run --platform linux/amd64 --name mocks -p 5003:8080 --network $(dockerNetwork) -d localhost/mocks-image | ||
| $(docker) run --name api-gateway-mock -p 5002:5000 --network $(dockerNetwork) -d localhost/api-gateway-mock-image | ||
| $(docker) run --name api-gateway-mock-2 -p 5005:5000 -e TARGET_CONTAINER='MOCKS' --network $(dockerNetwork) -d localhost/api-gateway-mock-image |
There was a problem hiding this comment.
Maybe this mock should be named something like mocks-api-gateway rather than api-gateway-mock-2? If renaming this container it's probably worth renaming the existing api-gateway-mock container to be something like pathology-api-gateway.
There was a problem hiding this comment.
I've renamed these now
| with pytest.raises(ValueError, match=error_message): | ||
| _get_jwk_key_from_url_by_kid("TEST-1") | ||
|
|
||
| @pytest.mark.parametrize( |
There was a problem hiding this comment.
Is it worth including a scenario here where the expiry is too far in the future?
mocks/lambda_handler.py
Outdated
| _logger.debug("temp: %s", app.current_event.body) | ||
| _logger.debug("temp2: %s", app.current_event.decoded_body) |
There was a problem hiding this comment.
Are these log lines required? I think these logs will include the client_assertion which does include a secret value (though the secret is only being used in a secret context here).
There was a problem hiding this comment.
I was mostly using it for debugging, so its not really necessary to keep.
I think we could do with someway of logging what the body receives without logging any actual secret values if we need some help debugging in the future
MohammadPatelNHS
force-pushed
the
feature/CDAPI-78-w-infra
branch
from
6c8de20 to
dbbce28
Compare
|
2 participants
Description
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.