eli-540 lambda to support hashed nhsnum (#483)

* secret handling

* Fixed some integration tests.

* Fixed integration test hashing serivce.

* Stub for hashing service and secret repo.

* Fixed integration tests.

* Added logic for current and previous hash checks.

* Added global const for secret

* added previous secret testing.

* Update logic with nhs fallback.

* Fixed linting.

* pyright errors fixed.

* more info on error message.

* Added extra tests for person repo function.

* Added tests and linting.

* Added hashing service tests.

* Added testing and linting.

* refined tests.

* Updated logic as per PR feedback.

* Refactored integration tests hashing service factory.

* Refactored persisted person factory.

* Added parma test for scenarios.

* Updated scenarios for key tests.

* updated description.

* linting.

* Added docstring for secret key scenario tests

* Added more person repo test scenarios and updated docstring

---------

Co-authored-by: karthikeyannhs <[email protected]>
Co-authored-by: Robert <[email protected]>

Author: 3 people

src/eligibility_signposting_api/config/config.py

@@ -5,6 +5,7 @@
 
 from yarl import URL
 
+from eligibility_signposting_api.processors.hashing_service import HashSecretName
 from eligibility_signposting_api.repos.campaign_repo import BucketName
 from eligibility_signposting_api.repos.person_repo import TableName
 
@@ -22,6 +23,7 @@ def config() -> dict[str, Any]:
     person_table_name = TableName(os.getenv("PERSON_TABLE_NAME", "test_eligibility_datastore"))
     rules_bucket_name = BucketName(os.getenv("RULES_BUCKET_NAME", "test-rules-bucket"))
     audit_bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
+    hashing_secret_name = HashSecretName(os.getenv("HASHING_SECRET_NAME", "test_secret"))
     aws_default_region = AwsRegion(os.getenv("AWS_DEFAULT_REGION", "eu-west-1"))
     enable_xray_patching = bool(os.getenv("ENABLE_XRAY_PATCHING", "false"))
     kinesis_audit_stream_to_s3 = AwsKinesisFirehoseStreamName(
@@ -42,6 +44,8 @@ def config() -> dict[str, Any]:
             "firehose_endpoint": None,
             "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
             "enable_xray_patching": enable_xray_patching,
+            "secretsmanager_endpoint": None,
+            "hashing_secret_name": hashing_secret_name,
             "log_level": log_level,
         }
 
@@ -58,5 +62,7 @@ def config() -> dict[str, Any]:
         "firehose_endpoint": URL(os.getenv("FIREHOSE_ENDPOINT", local_stack_endpoint)),
         "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
         "enable_xray_patching": enable_xray_patching,
+        "secretsmanager_endpoint": URL(os.getenv("SECRET_MANAGER_ENDPOINT", local_stack_endpoint)),
+        "hashing_secret_name": hashing_secret_name,
         "log_level": log_level,
     }

src/eligibility_signposting_api/processors/__init__.py

@@ -0,0 +1,42 @@
+import hashlib
+import hmac
+from typing import Annotated, NewType
+
+from wireup import Inject, service
+
+from eligibility_signposting_api.repos.secret_repo import SecretRepo
+
+HashSecretName = NewType("HashSecretName", str)
+
+
+def _hash(nhs_number: str, secret_value: str | None) -> str | None:
+    if not secret_value:
+        return None
+
+    nhs_str = str(nhs_number)
+
+    return hmac.new(
+        secret_value.encode("utf-8"),
+        nhs_str.encode("utf-8"),
+        hashlib.sha512,
+    ).hexdigest()
+
+
+@service
+class HashingService:
+    def __init__(
+        self,
+        secret_repo: Annotated[SecretRepo, Inject()],
+        hash_secret_name: Annotated[HashSecretName, Inject(param="hashing_secret_name")],
+    ) -> None:
+        super().__init__()
+        self.secret_repo = secret_repo
+        self.hash_secret_name = hash_secret_name
+
+    def hash_with_current_secret(self, nhs_number: str) -> str | None:
+        secret_value = self.secret_repo.get_secret_current(self.hash_secret_name).get("AWSCURRENT")
+        return _hash(nhs_number, secret_value)
+
+    def hash_with_previous_secret(self, nhs_number: str) -> str | None:
+        secret_value = self.secret_repo.get_secret_previous(self.hash_secret_name).get("AWSPREVIOUS")
+        return _hash(nhs_number, secret_value)

src/eligibility_signposting_api/processors/hashing_service.py

@@ -1,5 +1,6 @@
 from .campaign_repo import CampaignRepo
 from .exceptions import NotFoundError
 from .person_repo import PersonRepo
+from .secret_repo import SecretRepo
 
-__all__ = ["CampaignRepo", "NotFoundError", "PersonRepo"]
+__all__ = ["CampaignRepo", "NotFoundError", "PersonRepo", "SecretRepo"]

src/eligibility_signposting_api/repos/__init__.py

@@ -43,3 +43,17 @@ def firehose_client_factory(
 ) -> BaseClient:
     endpoint_url = str(firehose_endpoint) if firehose_endpoint is not None else None
     return session.client("firehose", endpoint_url=endpoint_url)
+
+
+@service(qualifier="secretsmanager")
+def secretsmanager_client_factory(
+    session: Session,
+    secretsmanager_endpoint: Annotated[URL, Inject(param="secretsmanager_endpoint")],
+    aws_default_region: Annotated[AwsRegion, Inject(param="aws_default_region")],
+) -> BaseClient:
+    endpoint_url = str(secretsmanager_endpoint) if secretsmanager_endpoint is not None else None
+    return session.client(
+        service_name="secretsmanager",
+        endpoint_url=endpoint_url,
+        region_name=aws_default_region,
+    )

src/eligibility_signposting_api/repos/factory.py

@@ -7,6 +7,7 @@
 
 from eligibility_signposting_api.model.eligibility_status import NHSNumber
 from eligibility_signposting_api.model.person import Person
+from eligibility_signposting_api.processors.hashing_service import HashingService
 from eligibility_signposting_api.repos.exceptions import NotFoundError
 
 logger = logging.getLogger(__name__)
@@ -32,17 +33,50 @@ class PersonRepo:
     This data is held in a handful of records in a single Dynamodb table.
     """
 
-    def __init__(self, table: Annotated[Any, Inject(qualifier="person_table")]) -> None:
+    def __init__(
+        self,
+        table: Annotated[Any, Inject(qualifier="person_table")],
+        hashing_service: Annotated[HashingService, Inject()],
+    ) -> None:
         super().__init__()
         self.table = table
+        self._hashing_service = hashing_service
+
+    def get_person_record(self, nhs_hash: str | None) -> Any:
+        if nhs_hash:
+            response = self.table.query(KeyConditionExpression=Key("NHS_NUMBER").eq(nhs_hash))
+
+            items = response.get("Items", [])
+            has_person = any(item.get("ATTRIBUTE_TYPE") == "PERSON" for item in items)
+
+            if has_person:
+                return items
+
+        return None
 
     def get_eligibility_data(self, nhs_number: NHSNumber) -> Person:
-        response = self.table.query(KeyConditionExpression=Key("NHS_NUMBER").eq(nhs_number))
+        # AWSCURRENT secret
+        nhs_hash = self._hashing_service.hash_with_current_secret(nhs_number)
+        items = self.get_person_record(nhs_hash)
+
+        if not items:
+            logger.error("No person record found for hashed nhs_number using secret AWSCURRENT")
+
+            # AWSPREVIOUS secret
+            nhs_hash = self._hashing_service.hash_with_previous_secret(nhs_number)
 
-        if not (items := response.get("Items")) or not next(
-            (item for item in items if item.get("ATTRIBUTE_TYPE") == "PERSON"), None
-        ):
-            message = f"Person not found with nhs_number {nhs_number}"
-            raise NotFoundError(message)
+            if nhs_hash is not None:
+                items = self.get_person_record(nhs_hash)
+                if not items:
+                    logger.error("No person record found for hashed nhs_number using secret AWSPREVIOUS")
+                    message = "Person not found after checking AWSCURRENT and AWSPREVIOUS."
+                    raise NotFoundError(message)
+            else:
+                # fallback not hashed NHS number
+                items = self.get_person_record(nhs_number)
+                if not items:
+                    logger.error("No person record found for not hashed nhs_number")
+                    message = "Person not found after checking AWSCURRENT, AWSPREVIOUS, and not hashed NHS numbers."
+                    raise NotFoundError(message)
 
         return Person(data=items)

src/eligibility_signposting_api/repos/person_repo.py

@@ -0,0 +1,36 @@
+import logging
+from typing import Annotated, NewType
+
+from botocore.client import BaseClient
+from botocore.exceptions import ClientError
+from wireup import Inject, service
+
+logger = logging.getLogger(__name__)
+
+SecretName = NewType("SecretName", str)
+
+
+@service
+class SecretRepo:
+    def __init__(self, secret_manager: Annotated[BaseClient, Inject(qualifier="secretsmanager")]) -> None:
+        super().__init__()
+        self.secret_manager = secret_manager
+
+    def _get_secret_by_stage(self, secret_name: str, stage: str) -> dict[str, str]:
+        """Internal helper to fetch a secret by version stage."""
+        try:
+            response = self.secret_manager.get_secret_value(
+                SecretId=secret_name,
+                VersionStage=stage,
+            )
+            return {stage: response["SecretString"]}
+
+        except ClientError:
+            logger.exception("Failed to get secret %s at stage %s", secret_name, stage)
+            return {}
+
+    def get_secret_current(self, secret_name: str) -> dict[str, str]:
+        return self._get_secret_by_stage(secret_name, "AWSCURRENT")
+
+    def get_secret_previous(self, secret_name: str) -> dict[str, str]:
+        return self._get_secret_by_stage(secret_name, "AWSPREVIOUS")