secret handling

Author: Karthikeyannhs

src/eligibility_signposting_api/config/config.py

@@ -5,6 +5,7 @@
 
 from yarl import URL
 
+from eligibility_signposting_api.processors.hashing_service import HashSecretName
 from eligibility_signposting_api.repos.campaign_repo import BucketName
 from eligibility_signposting_api.repos.person_repo import TableName
 
@@ -22,6 +23,7 @@ def config() -> dict[str, Any]:
     person_table_name = TableName(os.getenv("PERSON_TABLE_NAME", "test_eligibility_datastore"))
     rules_bucket_name = BucketName(os.getenv("RULES_BUCKET_NAME", "test-rules-bucket"))
     audit_bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
+    hashing_secret_name = HashSecretName(os.getenv("HASHING_SECRET_NAME", "test_secret"))
     aws_default_region = AwsRegion(os.getenv("AWS_DEFAULT_REGION", "eu-west-1"))
     enable_xray_patching = bool(os.getenv("ENABLE_XRAY_PATCHING", "false"))
     kinesis_audit_stream_to_s3 = AwsKinesisFirehoseStreamName(
@@ -42,6 +44,8 @@ def config() -> dict[str, Any]:
             "firehose_endpoint": None,
             "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
             "enable_xray_patching": enable_xray_patching,
+            "secretsmanager_endpoint": None,
+            "hashing_secret_name": hashing_secret_name,
             "log_level": log_level,
         }
 
@@ -58,5 +62,7 @@ def config() -> dict[str, Any]:
         "firehose_endpoint": URL(os.getenv("FIREHOSE_ENDPOINT", local_stack_endpoint)),
         "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
         "enable_xray_patching": enable_xray_patching,
+        "secretsmanager_endpoint": URL(os.getenv("SECRET_MANAGER_ENDPOINT", local_stack_endpoint)),
+        "hashing_secret_name": hashing_secret_name,
         "log_level": log_level,
     }

src/eligibility_signposting_api/processors/__init__.py

@@ -0,0 +1,34 @@
+import hashlib
+from typing import Annotated, NewType
+
+from wireup import service, Inject
+
+from eligibility_signposting_api.repos.secret_repo import SecretRepo
+
+HashSecretName = NewType("HashSecretName", str)
+
+
+def _hash(nhs_number: str, secret_value: str) -> str:
+    """Internal helper to hash NHS number with a given secret value."""
+    combined = f"{nhs_number}{secret_value}"
+    return hashlib.sha256(combined.encode("utf-8")).hexdigest()
+
+
+@service
+class HashingService:
+    def __init__(
+        self,
+        secret_repo: Annotated[SecretRepo, Inject()],
+        hash_secret_name: Annotated[HashSecretName, Inject(param="hashing_secret_name")],
+    ) -> None:
+        super().__init__()
+        self.secret_repo = secret_repo
+        self.hash_secret_name = hash_secret_name
+
+    def hash_with_current_secret(self, nhs_number: str) -> str:
+        secret_value = self.secret_repo.get_secret_current(self.hash_secret_name)["AWSCURRENT"]
+        return _hash(nhs_number, secret_value)
+
+    def hash_with_previous_secret(self, nhs_number: str) -> str:
+        secret_value = self.secret_repo.get_secret_previous(self.hash_secret_name)["AWSPREVIOUS"]
+        return _hash(nhs_number, secret_value)

src/eligibility_signposting_api/processors/hashing_service.py

@@ -1,5 +1,6 @@
 from .campaign_repo import CampaignRepo
 from .exceptions import NotFoundError
 from .person_repo import PersonRepo
+from .secret_repo import SecretRepo
 
-__all__ = ["CampaignRepo", "NotFoundError", "PersonRepo"]
+__all__ = ["CampaignRepo", "NotFoundError", "PersonRepo", "SecretRepo"]

src/eligibility_signposting_api/repos/__init__.py

@@ -43,3 +43,17 @@ def firehose_client_factory(
 ) -> BaseClient:
     endpoint_url = str(firehose_endpoint) if firehose_endpoint is not None else None
     return session.client("firehose", endpoint_url=endpoint_url)
+
+
+@service(qualifier="secretsmanager")
+def secretsmanager_client_factory(
+    session: Session,
+    secretsmanager_endpoint: Annotated[URL, Inject(param="secretsmanager_endpoint")],
+    aws_default_region: Annotated[AwsRegion, Inject(param="aws_default_region")],
+) -> BaseClient:
+    endpoint_url = str(secretsmanager_endpoint) if secretsmanager_endpoint is not None else None
+    return session.client(
+        service_name="secretsmanager",
+        endpoint_url=endpoint_url,
+        region_name=aws_default_region,
+    )

src/eligibility_signposting_api/repos/factory.py

@@ -7,6 +7,7 @@
 
 from eligibility_signposting_api.model.eligibility_status import NHSNumber
 from eligibility_signposting_api.model.person import Person
+from eligibility_signposting_api.processors.hashing_service import HashingService
 from eligibility_signposting_api.repos.exceptions import NotFoundError
 
 logger = logging.getLogger(__name__)
@@ -32,17 +33,26 @@ class PersonRepo:
     This data is held in a handful of records in a single Dynamodb table.
     """
 
-    def __init__(self, table: Annotated[Any, Inject(qualifier="person_table")]) -> None:
+    def __init__(self, table: Annotated[Any, Inject(qualifier="person_table")],
+                 hashing_service: Annotated[HashingService, Inject()]) -> None:
         super().__init__()
         self.table = table
+        self._hashing_service = hashing_service
 
     def get_eligibility_data(self, nhs_number: NHSNumber) -> Person:
-        response = self.table.query(KeyConditionExpression=Key("NHS_NUMBER").eq(nhs_number))
+        nhs_hash = self._hashing_service.hash_with_current_secret(nhs_number)
+        response = self.table.query(KeyConditionExpression=Key("NHS_NUMBER").eq(nhs_hash))
 
         if not (items := response.get("Items")) or not next(
             (item for item in items if item.get("ATTRIBUTE_TYPE") == "PERSON"), None
         ):
-            message = f"Person not found with nhs_number {nhs_number}"
-            raise NotFoundError(message)
+            nhs_hash = self._hashing_service.hash_with_previous_secret(nhs_number)
+            response = self.table.query(KeyConditionExpression=Key("NHS_NUMBER").eq(nhs_hash))
+
+            if not (items := response.get("Items")) or not next(
+                (item for item in items if item.get("ATTRIBUTE_TYPE") == "PERSON"), None
+            ):
+                message = f"Person not found with nhs_number {nhs_number}"
+                raise NotFoundError(message)
 
         return Person(data=items)

src/eligibility_signposting_api/repos/person_repo.py

@@ -0,0 +1,41 @@
+import logging
+from typing import Annotated, Any, NewType
+
+from botocore.client import BaseClient
+from botocore.exceptions import ClientError
+from wireup import Inject, service
+
+logger = logging.getLogger(__name__)
+
+SecretName = NewType("SecretName", str)
+
+
+@service
+class SecretRepo:
+    def __init__(
+        self,
+        secret_manager: Annotated[BaseClient, Inject(qualifier="secretsmanager")]
+    ) -> None:
+        super().__init__()
+        self.secret_manager = secret_manager
+
+    def _get_secret_by_stage(self, secret_name: str, stage: str) -> dict[str, str]:
+        """Internal helper to fetch a secret by version stage."""
+        try:
+            response = self.secret_manager.get_secret_value(
+                SecretId=secret_name,
+                VersionStage=stage,
+            )
+            return {stage: response["SecretString"]}
+        except ClientError as e:
+            logger.error("Failed to get secret %s at stage %s: %s", secret_name, stage, e)
+            raise
+
+    def get_secret_current(self, secret_name: str) -> dict[str, str]:
+        """Fetch the AWSCURRENT version of the secret."""
+        return self._get_secret_by_stage(secret_name, "AWSCURRENT")
+
+    def get_secret_previous(self, secret_name: str) -> dict[str, str]:
+        """Fetch the AWSPREVIOUS version of the secret."""
+        return self._get_secret_by_stage(secret_name, "AWSPREVIOUS")
+

src/eligibility_signposting_api/repos/secret_repo.py

@@ -114,6 +114,40 @@ def s3_client(boto3_session: Session, localstack: URL) -> BaseClient:
 def firehose_client(boto3_session: Session, localstack: URL) -> BaseClient:
     return boto3_session.client("firehose", endpoint_url=str(localstack))
 
+@pytest.fixture(scope="session")
+def secretsmanager_client(boto3_session: Session, localstack: URL) -> BaseClient:
+    """
+    Provides a boto3 Secrets Manager client bound to LocalStack.
+    Seeds a test secret for use in integration tests.
+    """
+    client:BaseClient = boto3_session.client(
+        service_name="secretsmanager",
+        endpoint_url=str(localstack),
+        region_name="eu-west-1"
+    )
+
+    secret_name = "test_secret"
+    secret_value = "test_value_old"
+
+    try:
+        client.create_secret(
+            Name=secret_name,
+            SecretString=secret_value,
+        )
+    except client.exceptions.ResourceExistsException:
+        client.put_secret_value(
+            SecretId=secret_name,
+            SecretString=secret_value,
+        )
+
+    secret_name = "test_secret"
+    secret_value = "test_value"
+
+    client.put_secret_value(
+        SecretId=secret_name,
+        SecretString=secret_value,
+    )
+    return client
 
 @pytest.fixture(scope="session")
 def iam_role(iam_client: BaseClient) -> Generator[str]:
@@ -209,6 +243,7 @@ def flask_function(lambda_client: BaseClient, iam_role: str, lambda_zip: Path) -
                     "DYNAMODB_ENDPOINT": os.getenv("LOCALSTACK_INTERNAL_ENDPOINT", "http://localstack:4566/"),
                     "S3_ENDPOINT": os.getenv("LOCALSTACK_INTERNAL_ENDPOINT", "http://localstack:4566/"),
                     "FIREHOSE_ENDPOINT": os.getenv("LOCALSTACK_INTERNAL_ENDPOINT", "http://localstack:4566/"),
+                    "SECRET_MANAGER_ENDPOINT": os.getenv("LOCALSTACK_INTERNAL_ENDPOINT", "http://localstack:4566/"),
                     "AWS_REGION": AWS_REGION,
                     "LOG_LEVEL": "DEBUG",
                 }

tests/integration/conftest.py

@@ -1,5 +1,6 @@
 from http import HTTPStatus
 
+from botocore.client import BaseClient
 from brunns.matchers.data import json_matching as is_json_that
 from brunns.matchers.werkzeug import is_werkzeug_response as is_response
 from flask.testing import FlaskClient
@@ -23,7 +24,8 @@ def test_nhs_number_given(
         self,
         client: FlaskClient,
         persisted_person: NHSNumber,
-        campaign_config: CampaignConfig,  # noqa: ARG002
+        campaign_config: CampaignConfig,
+        secretsmanager_client: BaseClient # noqa: ARG002
     ):
         # Given
         headers = {"nhs-login-nhs-number": str(persisted_person)}