[PRM-52] Edge lambda S3 presign url changes (#607)

* [PRM-52] Changes to edge lambda to hide pre-sign url
* [PRM-52] Reformat edge service
* [PRM-52] Change expiry

Author: NogaNHS

lambdas/handlers/edge_presign_handler.py

@@ -1,30 +1,24 @@
-import logging
-
 from services.edge_presign_service import EdgePresignService
+from utils.audit_logging_setup import LoggingService
 from utils.decorators.handle_edge_exceptions import handle_edge_exceptions
 from utils.decorators.override_error_check import override_error_check
 from utils.decorators.set_audit_arg import set_request_context_for_logging
-from utils.decorators.validate_s3_request import validate_s3_request
 
-logger = logging.getLogger()
-logger.setLevel(logging.INFO)
+logger = LoggingService(__name__)
 
 
 @set_request_context_for_logging
 @override_error_check
 @handle_edge_exceptions
-@validate_s3_request
 def lambda_handler(event, context):
     request: dict = event["Records"][0]["cf"]["request"]
     logger.info("Edge received S3 request")
+    logger.info(f"Request: {request}")
 
     edge_presign_service = EdgePresignService()
-    request_values: dict = edge_presign_service.filter_request_values(request)
-    edge_presign_service.use_presign(request_values)
+    modified_request = edge_presign_service.use_presigned(request)
 
-    forwarded_request: dict = edge_presign_service.update_s3_headers(
-        request, request_values
-    )
+    forwarded_request: dict = edge_presign_service.update_s3_headers(modified_request)
 
     logger.info("Edge forwarding S3 request")
     return forwarded_request

lambdas/requirements/requirements_edge_lambda.txt

@@ -1,4 +1,3 @@
-asposestorage==1.0.2
 boto3==1.35.3
 botocore==1.35.3
 pydantic==2.8.2

lambdas/services/base/dynamo_service.py

@@ -128,12 +128,13 @@ def update_item(
             "UpdateExpression": update_expression,
             "ExpressionAttributeNames": expression_attribute_names,
             "ExpressionAttributeValues": generated_expression_attribute_values,
+            "ReturnValues": "ALL_NEW",
         }
 
         if condition_expression:
             update_item_args["ConditionExpression"] = condition_expression
 
-        table.update_item(**update_item_args)
+        return table.update_item(**update_item_args)
 
     def delete_item(self, table_name: str, key: dict):
         try:

lambdas/services/edge_presign_service.py

@@ -1,10 +1,8 @@
-import hashlib
 import re
 
 from botocore.exceptions import ClientError
 from enums.lambda_error import LambdaError
 from services.base.dynamo_service import DynamoDBService
-from services.base.s3_service import S3Service
 from services.base.ssm_service import SSMService
 from utils.audit_logging_setup import LoggingService
 from utils.lambda_exceptions import CloudFrontEdgeException
@@ -15,83 +13,74 @@
 class EdgePresignService:
     def __init__(self):
         self.dynamo_service = DynamoDBService()
-        self.s3_service = S3Service()
         self.ssm_service = SSMService()
         self.table_name_ssm_param = "EDGE_REFERENCE_TABLE"
 
-    def use_presign(self, request_values: dict):
-        uri: str = request_values["uri"]
-        querystring: str = request_values["querystring"]
-        domain_name: str = request_values["domain_name"]
+    def use_presigned(self, request_values: dict) -> dict:
+        request_id = self._extract_request_id(request_values)
+        domain_name = self._extract_domain_name(request_values)
 
-        presign_string: str = f"{uri}?{querystring}"
-        encoded_presign_string = presign_string.encode("utf-8")
-        presign_credentials_hash: str = hashlib.md5(encoded_presign_string).hexdigest()
+        presigned_url = self._attempt_presigned_ingestion(request_id, domain_name)
+        self._update_request_with_presigned_url(request_values, presigned_url)
 
-        self.attempt_presign_ingestion(
-            uri_hash=presign_credentials_hash,
-            domain_name=domain_name,
-        )
+        return request_values
 
-    def attempt_presign_ingestion(self, uri_hash: str, domain_name: str) -> None:
+    def _attempt_presigned_ingestion(self, request_id: str, domain_name: str) -> str:
         try:
-            environment = self.filter_domain_for_env(domain_name)
-            logger.info(f"Environment found: {environment}")
-            base_table_name: str = self.ssm_service.get_ssm_parameter(
-                self.table_name_ssm_param
-            )
-            formatted_table_name: str = self.extend_table_name(
-                base_table_name, environment
-            )
-            logger.info(f"Table: {formatted_table_name}")
-            self.dynamo_service.update_item(
-                table_name=formatted_table_name,
-                key_pair={"ID": uri_hash},
-                updated_fields={"IsRequested": True},
-                condition_expression="attribute_not_exists(IsRequested) OR IsRequested = :false",
-                expression_attribute_values={":false": False},
-            )
+            environment = self._filter_domain_for_env(domain_name)
+            table_name = self._get_formatted_table_name(environment)
+            updated_item = self._update_dynamo_item(table_name, request_id)
+            return self._extract_presigned_url(updated_item)
         except ClientError as e:
             logger.error(f"{str(e)}", {"Result": LambdaError.EdgeNoClient.to_str()})
             raise CloudFrontEdgeException(400, LambdaError.EdgeNoClient)
 
-    @staticmethod
-    def update_s3_headers(request: dict, request_values: dict):
-        domain_name = request_values["domain_name"]
-        if "authorization" in request["headers"]:
-            del request["headers"]["authorization"]
+    def update_s3_headers(self, request: dict) -> dict:
+        domain_name = self._extract_domain_name(request)
+        request["headers"].pop("authorization", None)
         request["headers"]["host"] = [{"key": "Host", "value": domain_name}]
-
         return request
 
-    @staticmethod
-    def filter_request_values(request: dict) -> dict:
-        try:
-            uri: str = request["uri"]
-            querystring: str = request["querystring"]
-            headers: dict = request["headers"]
-            origin: dict = request.get("origin", {})
-            domain_name: str = origin["s3"]["domainName"]
-        except KeyError as e:
-            logger.error(f"Missing request component: {str(e)}")
-            raise CloudFrontEdgeException(500, LambdaError.EdgeNoOrigin)
-
-        return {
-            "uri": uri,
-            "querystring": querystring,
-            "headers": headers,
-            "domain_name": domain_name,
-        }
+    def _extract_request_id(self, request_values: dict) -> str:
+        return request_values.get("uri", "").lstrip("/")
 
-    @staticmethod
-    def filter_domain_for_env(domain_name: str) -> str:
+    def _extract_domain_name(self, request_values: dict) -> str:
+        return request_values.get("origin", {}).get("s3", {}).get("domainName", "")
+
+    def _update_request_with_presigned_url(
+        self, request_values: dict, presigned_url: str
+    ):
+        question_mark_index = presigned_url.find("?")
+        querystring = (
+            presigned_url[question_mark_index + 1 :]
+            if question_mark_index != -1
+            else ""
+        )
+        url_parts = (
+            presigned_url[:question_mark_index].split("/")
+            if question_mark_index != -1
+            else presigned_url.split("/")
+        )
+        request_values["querystring"] = querystring
+        request_values["uri"] = "/" + "/".join(url_parts[3:])
+
+    def _filter_domain_for_env(self, domain_name: str) -> str:
         match = re.match(r"^[^-]+(?:-[^-]+)?(?=-lloyd)", domain_name)
-        if match:
-            return match.group(0)
-        return ""
+        return match.group(0) if match else ""
+
+    def _get_formatted_table_name(self, environment: str) -> str:
+        base_table_name = self.ssm_service.get_ssm_parameter(self.table_name_ssm_param)
+        return f"{environment}_{base_table_name}" if environment else base_table_name
+
+    def _update_dynamo_item(self, table_name: str, request_id: str) -> dict:
+        return self.dynamo_service.update_item(
+            table_name=table_name,
+            key_pair={"ID": request_id},
+            updated_fields={"IsRequested": True},
+            condition_expression="attribute_not_exists(IsRequested) OR IsRequested = :false",
+            expression_attribute_values={":false": False},
+        )
 
     @staticmethod
-    def extend_table_name(base_table_name: str, environment: str) -> str:
-        if environment:
-            return f"{environment}_{base_table_name}"
-        return base_table_name
+    def _extract_presigned_url(updated_item: dict) -> str:
+        return updated_item.get("Attributes", {}).get("presignedUrl", "")

lambdas/services/lloyd_george_stitch_job_service.py

@@ -1,5 +1,6 @@
 import os
-from datetime import datetime, timedelta
+import uuid
+from datetime import datetime, timedelta, timezone
 
 from botocore.exceptions import ClientError
 from enums.dynamo_filter import AttributeOperator
@@ -30,7 +31,7 @@ def __init__(self):
         self.document_service = DocumentService()
         self.stitch_trace_table = os.environ.get("STITCH_METADATA_DYNAMODB_NAME")
         self.lloyd_george_table_name = os.environ.get("LLOYD_GEORGE_DYNAMODB_NAME")
-
+        self.cloudfront_table_name = os.environ.get("EDGE_REFERENCE_TABLE")
         self.cloudfront_url = os.environ.get("CLOUDFRONT_URL")
         self.lloyd_george_bucket_name = os.environ.get("LLOYD_GEORGE_BUCKET_NAME")
 
@@ -162,7 +163,20 @@ def create_document_stitch_presigned_url(self, stitched_file_location):
             s3_bucket_name=self.lloyd_george_bucket_name,
             file_key=stitched_file_location,
         )
-        return format_cloudfront_url(presign_url_response, self.cloudfront_url)
+        presigned_id = str(uuid.uuid4())
+        deletion_date = datetime.now(timezone.utc)
+
+        ttl_half_an_hour_in_seconds = self.s3_service.presigned_url_expiry
+        dynamo_item_ttl = int(deletion_date.timestamp() + ttl_half_an_hour_in_seconds)
+        self.dynamo_service.create_item(
+            self.cloudfront_table_name,
+            {
+                "ID": presigned_id,
+                "presignedUrl": presign_url_response,
+                "TTL": dynamo_item_ttl,
+            },
+        )
+        return format_cloudfront_url(presigned_id, self.cloudfront_url)
 
     def check_lloyd_george_record_for_patient(self, nhs_number) -> None:
         try:

lambdas/tests/unit/enums/test_edge_presign_values.py

@@ -36,14 +36,14 @@
 EXPECTED_EDGE_MALFORMED_ERROR_MESSAGE = LambdaError.EdgeMalformed.value["message"]
 EXPECTED_EDGE_MALFORMED_ERROR_CODE = LambdaError.EdgeMalformed.value["err_code"]
 
-
+MOCK_PRESIGNED_URL = "https://presigned-url.com/path/to/resource"
 MOCK_S3_EDGE_EVENT = {
     "Records": [
         {
             "cf": {
                 "request": {
                     "headers": MOCKED_HEADERS,
-                    "querystring": MOCKED_AUTH_QUERY,
+                    "querystring": "",
                     "uri": "/some/path",
                     "origin": {
                         "s3": {