Only log to Insights if HMAC signature failed verification

This will help us filter out spam requests as they
should have passed the API key test - otherwise
malicious requests could send multiple requests
and trigger a calculation of the signature as well
as log to Insights.

Author: Harriethw

manage_breast_screening/notifications/tests/test_views.py

@@ -70,11 +70,6 @@ def test_create_message_status_with_invalid_request(mock_insights_logger):
     assert response.status_code == expected_response.status_code
     assert response.text == expected_response.text
 
-    mock_insights_logger.assert_called_once_with(
-        message="Signature does not match",
-        event_name="create_message_status_validation_error",
-    )
-
 
 def test_create_message_status_with_queue_configuration_error(mock_insights_logger):
     body = {"some": "data"}

manage_breast_screening/notifications/tests/validators/test_request_validator.py

@@ -71,6 +71,20 @@ def test_valid_with_invalid_api_key(self):
         req = self.mock_request(headers)
         assert RequestValidator(req).valid() == (False, "Invalid API key")
 
+    def test_valid_invalid_signature(self, mock_insights_logger):
+        """Test that valid headers with invalid signature doesn't pass verification."""
+        signature = "invalid_signature"
+        headers = {
+            RequestValidator.API_KEY_HEADER_NAME: "api_key",
+            RequestValidator.SIGNATURE_HEADER_NAME: signature,
+        }
+        req = self.mock_request(headers)
+        assert RequestValidator(req).valid() == (False, "Signature does not match")
+        mock_insights_logger.assert_called_with(
+            message="Signature does not match",
+            event_name="create_message_status_validation_error",
+        )
+
     def test_valid(self):
         """Test that valid API key and signature headers pass verification."""
         body = '{"this": "that"}'

manage_breast_screening/notifications/validators/request_validator.py

@@ -2,6 +2,10 @@
 import hmac
 import os
 
+from manage_breast_screening.notifications.services.application_insights_logging import (
+    ApplicationInsightsLogging,
+)
+
 
 class RequestValidator:
     ENCODING = "ASCII"
@@ -18,7 +22,12 @@ def valid(self) -> tuple[bool, str]:
             return False, error_message
 
         if not self.verify_signature():
-            return False, "Signature does not match"
+            error_message = "Signature does not match"
+            ApplicationInsightsLogging().custom_event(
+                message=error_message,
+                event_name="create_message_status_validation_error",
+            )
+            return False, error_message
 
         return True, ""
 

manage_breast_screening/notifications/views.py

@@ -26,10 +26,6 @@ def create_message_status(request):
     valid, message = RequestValidator(request).valid()
 
     if not valid:
-        ApplicationInsightsLogging().custom_event(
-            message=message,
-            event_name="create_message_status_validation_error",
-        )
         return JsonResponse({"error": {"message": message}}, status=400)
 
     try: