WIP :-(

Author: ayeshalshukri1-nhs

src/eligibility_signposting_api/repos/factory.py

@@ -43,3 +43,9 @@ def firehose_client_factory(
 ) -> BaseClient:
     endpoint_url = str(firehose_endpoint) if firehose_endpoint is not None else None
     return session.client("firehose", endpoint_url=endpoint_url)
+
+
+# @service(qualifier="secretsmanager")
+# def secretsmanager_client_factory(session: Session) -> BaseClient:
+#     return session.client("secretsmanager")
+

src/eligibility_signposting_api/repos/secrets.py

@@ -1,29 +1,90 @@
 from wireup import service
+import boto3
+from botocore.client import BaseClient
+from botocore.exceptions import ClientError
+from wireup import Inject, service
+from typing import Annotated
 
-@service(qualifier="nhs_hmac_key")
-def nhs_hmac_key_factory() -> bytes:
-    return b"abc123" # salt
+from boto3 import Session
 
-# import boto3
-# from botocore.exceptions import ClientError
+# @service(qualifier="nhs_hmac_key")
+# def nhs_hmac_key_factory() -> bytes: # -> dict[str, bytes]:
+#     # return b"abc123"
+#     keys: dict[str, bytes] = {}
+#     #return keys
 #
-# secret_name = "eligibility-signposting-api-dev/hashing_secret"
-# region_name = "eu-west-2"
+#     # return {
+#     # "AWSCURRENT": b"current_dummy_key",
+#     # "AWSPREVIOUS": b"previous_dummy_key"
+#     # }
 #
-# # Create a Secrets Manager client
-# session = boto3.session.Session()
-# client = session.client(
-#     service_name='secretsmanager',
-#     region_name=region_name
-# )
+#     for stage in ("AWSCURRENT", "AWSPREVIOUS"):
+#         value = get_secret_by_stage()
+#         if value:
+#             keys[stage] = value.encode("utf-8")
 #
-# try:
-#     get_secret_value_response = client.get_secret_value(
-#         SecretId=secret_name
-#     )
-# except ClientError as e:
-#     # For a list of exceptions thrown, see
-#     # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
-#     raise e
+#     # if keys = {}, then raise error
+#     if not keys:
+#         raise RuntimeError("No valid NHS HMAC secret keys available")
 #
-# secret = get_secret_value_response['SecretString']
+#     return keys
+
+@service(qualifier="secretsmanager")
+def secretsmanager_client_factory(session: Session) -> BaseClient:
+    return session.client("secretsmanager")
+
+
+@service(qualifier="nhs_hmac_key")
+def nhs_hmac_key_factory(
+    secrets_client: Annotated[BaseClient, Inject(qualifier="secretsmanager")],
+) -> bytes:
+    keys: dict[str, bytes] = {}
+
+    for stage in ("AWSCURRENT", "AWSPREVIOUS"):
+        value = get_secret_by_stage(secrets_client)
+        if value:
+            keys[stage] = value.encode("utf-8")
+
+    if not keys:
+        raise RuntimeError("No valid NHS HMAC secret keys available")
+
+    return keys
+
+
+def get_secret_by_stage(secrets_client: BaseClient
+                        #secrets_client: Annotated[BaseClient, Inject(qualifier="secretsmanager")],
+                        ) -> str:
+    secret_name = "eligibility-signposting-api-dev/hashing_secret"
+    region_name = "eu-west-2"
+    # client = boto3.client("secretsmanager", region_name=region_name)
+    stage="AWSCURRENT"
+    try:
+        secrets_client.describe_secret(SecretId=secret_name)
+    except ClientError as e:
+        raise RuntimeError(f"Secret '{secret_name}' does not exist") from e
+
+    version_stages = ["AWSCURRENT", "AWSPREVIOUS"]  # add "AWSPENDING" later
+
+    #for stage in version_stages:
+    try:
+        response = secrets_client.get_secret_value(
+            SecretId=secret_name,
+            VersionStage=stage
+        )
+        secret = response.get("SecretString") # response.get("SecretBinary")
+        if secret:
+            return secret
+    # except ClientError as e:
+    #     raise e # Needs expanding as it would raise after 1 iteration currently
+
+    except ClientError as e:
+        if e.response["Error"]["Code"] not in (
+            "ResourceNotFoundException",
+            "ResourceNotFound",
+            "ValidationException",
+        ):
+            raise e
+
+    raise RuntimeError(f"No valid version found for secret '{secret_name}'")
+
+

test.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+import boto3
+from botocore.exceptions import ClientError
+
+
+def get_secret_by_stage(
+    stage: str,
+    secret_name: str = "eligibility-signposting-api-dev/hashing_secret",
+    region_name: str = "eu-west-2"
+) -> str:
+    """
+    Fetch a specific version of a secret from AWS Secrets Manager
+    by stage (AWSCURRENT or AWSPREVIOUS).
+    """
+
+    # Ensure fixed values override passed parameters
+    secret_name = "eligibility-signposting-api-dev/hashing_secret"
+    region_name = "eu-west-2"
+
+    client = boto3.client("secretsmanager", region_name=region_name)
+
+    # First check secret exists
+    try:
+        client.describe_secret(SecretId=secret_name)
+    except ClientError as e:
+        error_code = e.response["Error"].get("Code")
+        error_msg = e.response["Error"].get("Message")
+        raise RuntimeError(
+            f"Unable to describe secret '{secret_name}'. "
+            f"AWS ErrorCode={error_code}, Message={error_msg}"
+        ) from e
+
+    # Try to fetch the specified stage
+    try:
+        response = client.get_secret_value(
+            SecretId=secret_name,
+            VersionStage=stage,
+        )
+        print(response)
+        secret = response.get("SecretString")
+
+        if secret:
+            return secret
+
+    except ClientError as e:
+        err = e.response.get("Error", {})
+        code = err.get("Code")
+        msg = err.get("Message")
+        status = e.response.get("ResponseMetadata", {}).get("HTTPStatusCode")
+
+        # These usually mean: the secret exists, but that *stage* does not
+        if code in (
+            "ResourceNotFoundException",
+            "ResourceNotFound",
+            "ValidationException",
+        ):
+            raise RuntimeError(
+                f"No version found for stage '{stage}' on secret '{secret_name}'.\n"
+                f"- AWS ErrorCode: {code}\n"
+                f"- AWS Message:   {msg}\n"
+                f"- HTTP Status:   {status}"
+            ) from e
+
+        # Anything else is unexpected → bubble up with details
+        raise RuntimeError(
+            f"Error calling GetSecretValue for stage '{stage}' on secret '{secret_name}'.\n"
+            f"- AWS ErrorCode: {code}\n"
+            f"- AWS Message:   {msg}\n"
+            f"- HTTP Status:   {status}"
+        ) from e
+
+
+
+
+# Optional: allow CLI execution for quick testing
+if __name__ == "__main__":
+    print("Testing get_secret_by_stage:")
+    try:
+        current = get_secret_by_stage("AWSCURRENT")
+        print("AWSCURRENT =", current)
+    except Exception as e:
+        print("Failed to fetch AWSCURRENT:", e)
+
+    try:
+        previous = get_secret_by_stage("AWSPREVIOUS")
+        print("AWSPREVIOUS =", previous)
+    except Exception as e:
+        print("Failed to fetch AWSPREVIOUS:", e)

tests/unit/repos/test_secrets.py

@@ -4,7 +4,22 @@
 
 
 def test_nhs_hmac_key_factory_returns_bytes():
-    key = nhs_hmac_key_factory()
+    keys = nhs_hmac_key_factory()
+    assert True
 
-    assert isinstance(key, bytes)
-    assert key == b"abc123"
+
+# from moto import mock_aws
+# import boto3
+#
+# @mock_aws
+# def test_secret():
+#     client = boto3.client("secretsmanager", region_name="us-east-1")
+#
+#     client.create_secret(
+#         Name="my-secret",
+#         SecretString="value"
+#     )
+#
+#     resp = client.get_secret_value(SecretId="my-secret")
+#
+#     assert resp["SecretString"] == "value"