Merge pull request #1951 from trade-tariff/GL-913

GL-913: Create secret & inject in the env of the app
trade-tariff · Aug 21, 2024 · a31bbf9 · a31bbf9
2 parents ce8459c + 0145cd8
commit a31bbf9
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 4 deletions.
diff --git a/app/controllers/api/v2/green_lanes/base_controller.rb b/app/controllers/api/v2/green_lanes/base_controller.rb
@@ -17,18 +17,56 @@ def check_service
         end
 
         def authenticate
+          unless Rails.env.development? && TradeTariffBackend.green_lanes_api_keys.blank?
+            authenticated = authenticate_with_api_keys
+          end
+
           unless Rails.env.development? && TradeTariffBackend.green_lanes_api_tokens.blank?
-            authenticate_or_request_with_http_token do |provided_token, _options|
-              Rails.logger.debug provided_token
-              api_tokens.any? { |token| ActiveSupport::SecurityUtils.secure_compare(provided_token, token) }
-            end
+            authenticated ||= authenticate_with_api_tokens
+          end
+
+          unless authenticated || (Rails.env.development? && TradeTariffBackend.green_lanes_api_keys.blank?)
+            render json: { error: 'Invalid API Key' }, status: :bad_request
+          end
+        end
+
+        def authenticate_with_api_tokens
+          authenticate_or_request_with_http_token do |provided_token, _options|
+            Rails.logger.debug "Provided token: #{provided_token}"
+            api_tokens.any? { |token| ActiveSupport::SecurityUtils.secure_compare(provided_token, token) }
           end
+
+          true
+        end
+
+        def authenticate_with_api_keys
+          provided_key = request.headers['X-Api-Key']
+          return false if provided_key.blank?
+
+          Rails.logger.debug "Provided key: #{provided_key}"
+
+          return false unless api_keys.any? { |api_key| ActiveSupport::SecurityUtils.secure_compare(provided_key, api_key) }
+
+          true
         end
 
         def api_tokens
           @api_tokens ||= read_tokens
         end
 
+        def api_keys
+          @api_keys ||= read_api_keys
+        end
+
+        def read_api_keys
+          api_key_hash = JSON.parse(TradeTariffBackend.green_lanes_api_keys)
+          if api_key_hash.any?
+            api_key_hash['api_keys'].keys
+          else
+            []
+          end
+        end
+
         def read_tokens
           tokens = TradeTariffBackend.green_lanes_api_tokens
           if tokens.present?

diff --git a/app/lib/trade_tariff_backend.rb b/app/lib/trade_tariff_backend.rb
@@ -262,6 +262,10 @@ def green_lanes_api_tokens
       ENV['GREEN_LANES_API_TOKENS']
     end
 
+    def green_lanes_api_keys
+      ENV['GREEN_LANES_API_KEYS']
+    end
+
     def excise_alcohol_coercian_starts_from
       @excise_alcohol_coercian_starts_from ||= Date.parse(
         ENV.fetch(

diff --git a/terraform/README.md b/terraform/README.md
@@ -51,6 +51,7 @@ Terraform to deploy the service into AWS.
 | [aws_secretsmanager_secret.database_connection_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.database_readonly_connection_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.differences_to_emails](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret.green_lanes_api_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.green_lanes_api_tokens](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.oauth_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.oauth_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |

diff --git a/terraform/data.tf b/terraform/data.tf
@@ -119,6 +119,10 @@ data "aws_secretsmanager_secret" "green_lanes_api_tokens" {
   name = "backend-green-lanes-api-tokens"
 }
 
+data "aws_secretsmanager_secret" "green_lanes_api_keys" {
+  name = "backend-green-lanes-api-keys"
+}
+
 data "aws_s3_bucket" "spelling_corrector" {
   bucket = "trade-tariff-search-configuration-${local.account_id}"
 }

diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -12,6 +12,7 @@ data "aws_iam_policy_document" "secrets" {
       data.aws_secretsmanager_secret.database_readonly_connection_string.arn,
       data.aws_secretsmanager_secret.differences_to_emails.arn,
       data.aws_secretsmanager_secret.green_lanes_api_tokens.arn,
+      data.aws_secretsmanager_secret.green_lanes_api_keys.arn,
       data.aws_secretsmanager_secret.oauth_id.arn,
       data.aws_secretsmanager_secret.oauth_secret.arn,
       data.aws_secretsmanager_secret.redis_frontend_connection_string.arn,

diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -204,6 +204,10 @@ locals {
       name      = "GREEN_LANES_API_TOKENS"
       valueFrom = data.aws_secretsmanager_secret.green_lanes_api_tokens.arn
     },
+    {
+      name      = "GREEN_LANES_API_KEYS"
+      valueFrom = data.aws_secretsmanager_secret.green_lanes_api_keys.arn
+    },
     {
       name      = "SENTRY_DSN"
       valueFrom = data.aws_secretsmanager_secret.sentry_dsn.arn