From ebf58a6e9b7babffa129b69fb7465f5fb549d8e6 Mon Sep 17 00:00:00 2001 From: Dan Lim <54864006+danlim715@users.noreply.github.com> Date: Thu, 19 Dec 2024 16:20:28 -0600 Subject: [PATCH] Validate document attachments at time of upload (#19532) * Validate document attachments at time of upload * Added flipper for extra validation steps --------- Co-authored-by: Wayne Weibel --- .github/CODEOWNERS | 3 + .../v0/claim_documents_controller.rb | 66 +++++++++-- app/models/persistent_attachment.rb | 3 + config/features.yml | 4 + lib/claim_documents/monitor.rb | 48 ++++++++ spec/fixtures/files/tiny.pdf | Bin 0 -> 291 bytes spec/lib/claim_documents/monitor_spec.rb | 50 ++++++++ spec/requests/swagger_spec.rb | 38 +++--- spec/requests/v0/claim_documents_spec.rb | 111 ++++++++++-------- .../uploads/validate_document.yml | 49 ++++++++ 10 files changed, 295 insertions(+), 77 deletions(-) create mode 100644 lib/claim_documents/monitor.rb create mode 100755 spec/fixtures/files/tiny.pdf create mode 100644 spec/lib/claim_documents/monitor_spec.rb create mode 100644 spec/support/vcr_cassettes/uploads/validate_document.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a1c5f57f338..65d46e7489d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -851,6 +851,7 @@ lib/caseflow @department-of-veterans-affairs/lighthouse-banana-peels @department lib/central_mail @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group lib/chip @department-of-veterans-affairs/vsa-healthcare-health-quest-1-backend @department-of-veterans-affairs/patient-check-in @department-of-veterans-affairs/backend-review-group lib/claim_letters @department-of-veterans-affairs/benefits-management-tools-be @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group +lib/claim_documents/monitor.rb @department-of-veterans-affairs/pension-and-burials @department-of-veterans-affairs/backend-review-group lib/clamav @department-of-veterans-affairs/backend-review-group lib/common/client/base.rb @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group lib/common/client/concerns/mhv_fhir_session_client.rb @department-of-veterans-affairs/vfs-mhv-medical-records @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group @@ -1419,6 +1420,7 @@ spec/lib/carma @department-of-veterans-affairs/vfs-10-10 @department-of-veterans spec/lib/caseflow @department-of-veterans-affairs/lighthouse-banana-peels @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/lib/central_mail @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/lib/chip @department-of-veterans-affairs/vsa-healthcare-health-quest-1-backend @department-of-veterans-affairs/patient-check-in @department-of-veterans-affairs/backend-review-group +spec/lib/claim_documents/monitor_spec.rb @department-of-veterans-affairs/pension-and-burials @department-of-veterans-affairs/backend-review-group spec/lib/claim_status_tool @department-of-veterans-affairs/benefits-management-tools-be @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/lib/common/client/concerns/mhv_fhir_session_client_spec.rb @department-of-veterans-affairs/vfs-mhv-medical-records @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/lib/common/client/concerns/mhv_jwt_session_client_spec.rb @department-of-veterans-affairs/vfs-mhv-medical-records @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group @@ -2127,6 +2129,7 @@ spec/support/vcr_cassettes/spec/support @department-of-veterans-affairs/octo-ide spec/support/vcr_cassettes/staccato @department-of-veterans-affairs/vfs-10-10 @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/support/vcr_cassettes/token_validation @department-of-veterans-affairs/lighthouse-banana-peels @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/support/vcr_cassettes/travel_pay @department-of-veterans-affairs/travel-pay-integration @department-of-veterans-affairs/backend-review-group +spec/support/vcr_cassettes/uploads/validate_document.yml @department-of-veterans-affairs/pension-and-burials @department-of-veterans-affairs/backend-review-group spec/spupport/vcr_cassettes/user/get_facilities_empty.yml @department-of-veterans-affairs/vfs-facilities-frontend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/support/vcr_cassettes/va_forms @department-of-veterans-affairs/platform-va-product-forms @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group spec/support/vcr_cassettes/va_notify @department-of-veterans-affairs/va-notify-write @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group diff --git a/app/controllers/v0/claim_documents_controller.rb b/app/controllers/v0/claim_documents_controller.rb index 86449fe0812..2fef551ea4a 100644 --- a/app/controllers/v0/claim_documents_controller.rb +++ b/app/controllers/v0/claim_documents_controller.rb @@ -2,28 +2,38 @@ require 'pension_burial/tag_sentry' require 'lgy/tag_sentry' +require 'claim_documents/monitor' +require 'lighthouse/benefits_intake/service' +require 'pdf_utilities/datestamp_pdf' module V0 class ClaimDocumentsController < ApplicationController service_tag 'claims-shared' skip_before_action(:authenticate) + before_action :load_user def create - Rails.logger.info "Creating PersistentAttachment FormID=#{form_id}" + uploads_monitor.track_document_upload_attempt(form_id, current_user) - attachment = klass.new(form_id:) + @attachment = klass&.new(form_id:) # add the file after so that we have a form_id and guid for the uploader to use - attachment.file = unlock_file(params['file'], params['password']) + @attachment.file = unlock_file(params['file'], params['password']) - raise Common::Exceptions::ValidationErrors, attachment unless attachment.valid? + if %w[21P-527EZ 21P-530 21P-530V2].include?(form_id) && + Flipper.enabled?(:document_upload_validation_enabled) && !stamped_pdf_valid? - attachment.save + raise Common::Exceptions::ValidationErrors, @attachment + end + + raise Common::Exceptions::ValidationErrors, @attachment unless @attachment.valid? - Rails.logger.info "Success creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment.id}" + @attachment.save - render json: PersistentAttachmentSerializer.new(attachment) + uploads_monitor.track_document_upload_success(form_id, @attachment.id, current_user) + + render json: PersistentAttachmentSerializer.new(@attachment) rescue => e - Rails.logger.error "Error creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment.id} #{e}" + uploads_monitor.track_document_upload_failed(form_id, @attachment&.id, current_user, e) raise e end @@ -31,7 +41,7 @@ def create def klass case form_id - when '21P-527EZ', '21P-530EZ' + when '21P-527EZ', '21P-530EZ', '21P-530V2' PensionBurial::TagSentry.tag_sentry PersistentAttachments::PensionBurial when '21-686C', '686C-674' @@ -47,7 +57,7 @@ def form_id end def unlock_file(file, file_password) - return file unless File.extname(file) == '.pdf' && file_password + return file unless File.extname(file) == '.pdf' && file_password.present? pdftk = PdfForms.new(Settings.binaries.pdftk) tmpf = Tempfile.new(['decrypted_form_attachment', '.pdf']) @@ -69,5 +79,41 @@ def unlock_file(file, file_password) file.tempfile = tmpf file end + + # rubocop:disable Metrics/MethodLength + def stamped_pdf_valid? + extension = File.extname(@attachment&.file&.id) + allowed_types = PersistentAttachment::ALLOWED_DOCUMENT_TYPES + + if allowed_types.exclude?(extension) + raise Common::Exceptions::UnprocessableEntity.new( + detail: I18n.t('errors.messages.extension_allowlist_error', extension:, allowed_types:), + source: 'PersistentAttachment.stamped_pdf_valid?' + ) + elsif @attachment&.file&.size&.< PersistentAttachment::MINIMUM_FILE_SIZE + raise Common::Exceptions::UnprocessableEntity.new( + detail: 'File size must not be less than 1.0 KB', + source: 'PersistentAttachment.stamped_pdf_valid?' + ) + end + + document = PDFUtilities::DatestampPdf.new(@attachment.to_pdf).run(text: 'VA.GOV', x: 5, y: 5) + intake_service.valid_document?(document:) + rescue BenefitsIntake::Service::InvalidDocumentError => e + @attachment.errors.add(:attachment, e.message) + false + rescue PdfForms::PdftkError + @attachment.errors.add(:attachment, 'File is corrupt and cannot be uploaded') + false + end + # rubocop:enable Metrics/MethodLength + + def intake_service + @intake_service ||= BenefitsIntake::Service.new + end + + def uploads_monitor + @uploads_monitor ||= ClaimDocuments::Monitor.new + end end end diff --git a/app/models/persistent_attachment.rb b/app/models/persistent_attachment.rb index f37730ed72b..ac967d3f5af 100644 --- a/app/models/persistent_attachment.rb +++ b/app/models/persistent_attachment.rb @@ -8,6 +8,9 @@ class PersistentAttachment < ApplicationRecord include SetGuid + ALLOWED_DOCUMENT_TYPES = %w[.pdf .jpg .jpeg .png].freeze + MINIMUM_FILE_SIZE = 1.kilobyte.freeze + has_kms_key has_encrypted :file_data, key: :kms_key, **lockbox_options belongs_to :saved_claim, inverse_of: :persistent_attachments, optional: true diff --git a/config/features.yml b/config/features.yml index c4d42a7791a..ef8e771bc7d 100644 --- a/config/features.yml +++ b/config/features.yml @@ -90,6 +90,10 @@ features: disability_compensation_staging_lighthouse_brd: actor_type: user description: Switches to Lighthouse Staging BRD Service. NEVER ENABLE IN PRODUCTION. + document_upload_validation_enabled: + actor_type: user + description: Enables stamped PDF validation on document upload + enable_in_development: true hca_browser_monitoring_enabled: actor_type: user description: Enables browser monitoring for the health care application. diff --git a/lib/claim_documents/monitor.rb b/lib/claim_documents/monitor.rb new file mode 100644 index 00000000000..14c68d398c7 --- /dev/null +++ b/lib/claim_documents/monitor.rb @@ -0,0 +1,48 @@ +# frozen_string_literal: true + +require 'logging/monitor' + +module ClaimDocuments + ## + # Monitor functions for Rails logging and StatsD + # @todo abstract, split logging for controller and sidekiq + # + class Monitor < ::Logging::Monitor + # statsd key for document uploads + DOCUMENT_STATS_KEY = 'api.claim_documents' + + def initialize + super('claim_documents') + end + + def track_document_upload_attempt(form_id, current_user) + additional_context = { + user_account_uuid: current_user&.user_account_uuid, + tags: ["form_id:#{form_id}"] + } + track_request('info', "Creating PersistentAttachment FormID=#{form_id}", "#{DOCUMENT_STATS_KEY}.attempt", + **additional_context) + end + + def track_document_upload_success(form_id, attachment_id, current_user) + additional_context = { + attachment_id:, + user_account_uuid: current_user&.user_account_uuid, + tags: ["form_id:#{form_id}"] + } + track_request('info', "Success creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment_id}", + "#{DOCUMENT_STATS_KEY}.success", **additional_context) + end + + def track_document_upload_failed(form_id, attachment_id, current_user, e) + additional_context = { + attachment_id:, + user_account_uuid: current_user&.user_account_uuid, + tags: ["form_id:#{form_id}"], + message: e&.message + } + track_request('error', "Error creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment_id} #{e}", + "#{DOCUMENT_STATS_KEY}.failure", **additional_context) + end + end +end diff --git a/spec/fixtures/files/tiny.pdf b/spec/fixtures/files/tiny.pdf new file mode 100755 index 0000000000000000000000000000000000000000..593558f9a45127a9d0c28d7a7a98b718b96bffe5 GIT binary patch literal 291 zcmZ9HK?{OF5QXmx`yb}wv355#2*g8{mx#o=iH8k0F~kks!20!#nijsp!oK%CX2yzk z;X*7qB?36;>)rF%<@Hc3kVcj|XOYZR11k(;-&a+JNdNmodxRZ|tV!&SOIe_wl>spo zI(t@NN0k+FtJ{QQXoH=OG$n1VZj^9v@R { - 'form_id' => '21P-530EZ', - file: fixture_file_upload('spec/fixtures/files/doctors-note.pdf') - } - ) + VCR.use_cassette('uploads/validate_document') do + expect(subject).to validate( + :post, + '/v0/claim_attachments', + 200, + '_data' => { + 'form_id' => '21P-530EZ', + file: fixture_file_upload('spec/fixtures/files/doctors-note.pdf') + } + ) - expect(subject).to validate( - :post, - '/v0/claim_attachments', - 422, - '_data' => { - 'form_id' => '21P-530EZ', - file: fixture_file_upload('spec/fixtures/files/empty_file.txt') - } - ) + expect(subject).to validate( + :post, + '/v0/claim_attachments', + 422, + '_data' => { + 'form_id' => '21P-530EZ', + file: fixture_file_upload('spec/fixtures/files/empty_file.txt') + } + ) + end end it 'supports checking stem_claim_status' do diff --git a/spec/requests/v0/claim_documents_spec.rb b/spec/requests/v0/claim_documents_spec.rb index 32446d2818d..ec1a0148505 100644 --- a/spec/requests/v0/claim_documents_spec.rb +++ b/spec/requests/v0/claim_documents_spec.rb @@ -16,69 +16,80 @@ end it 'uploads a file' do - params = { file:, form_id: '21P-527EZ' } - expect do - post('/v0/claim_documents', params:) - end.to change(PersistentAttachment, :count).by(1) - expect(response).to have_http_status(:ok) - resp = JSON.parse(response.body) - expect(resp['data']['attributes'].keys.sort).to eq(%w[confirmation_code name size]) - expect(PersistentAttachment.last).to be_a(PersistentAttachments::PensionBurial) + VCR.use_cassette('uploads/validate_document') do + params = { file:, form_id: '21P-527EZ' } + expect do + post('/v0/claim_documents', params:) + end.to change(PersistentAttachment, :count).by(1) + expect(response).to have_http_status(:ok) + resp = JSON.parse(response.body) + expect(resp['data']['attributes'].keys.sort).to eq(%w[confirmation_code name size]) + expect(PersistentAttachment.last).to be_a(PersistentAttachments::PensionBurial) + end end it 'uploads a file to the alternate route' do - params = { file:, form_id: '21P-527EZ' } - expect do - post('/v0/claim_attachments', params:) - end.to change(PersistentAttachment, :count).by(1) - expect(response).to have_http_status(:ok) - resp = JSON.parse(response.body) - expect(resp['data']['attributes'].keys.sort).to eq(%w[confirmation_code name size]) - expect(PersistentAttachment.last).to be_a(PersistentAttachments::PensionBurial) + VCR.use_cassette('uploads/validate_document') do + params = { file:, form_id: '21P-527EZ' } + expect do + post('/v0/claim_attachments', params:) + end.to change(PersistentAttachment, :count).by(1) + expect(response).to have_http_status(:ok) + resp = JSON.parse(response.body) + expect(resp['data']['attributes'].keys.sort).to eq(%w[confirmation_code name size]) + expect(PersistentAttachment.last).to be_a(PersistentAttachments::PensionBurial) + end end it 'logs a successful upload' do - expect(Rails.logger).to receive(:info).with('Creating PersistentAttachment FormID=21P-527EZ') - expect(Rails.logger).to receive(:info).with( - /^Success creating PersistentAttachment FormID=21P-527EZ AttachmentID=\d+/ - ) - expect(Rails.logger).not_to receive(:error).with( - 'Error creating PersistentAttachment FormID=21P-527EZ AttachmentID= Common::Exceptions::ValidationErrors' - ) + VCR.use_cassette('uploads/validate_document') do + expect(Rails.logger).to receive(:info).with('Creating PersistentAttachment FormID=21P-527EZ', instance_of(Hash)) + expect(Rails.logger).to receive(:info).with( + /^Success creating PersistentAttachment FormID=21P-527EZ AttachmentID=\d+/, instance_of(Hash) + ) + expect(Rails.logger).not_to receive(:error).with( + 'Error creating PersistentAttachment FormID=21P-527EZ AttachmentID= Common::Exceptions::ValidationErrors' + ) - params = { file:, form_id: '21P-527EZ' } - expect do - post('/v0/claim_documents', params:) - end.to change(PersistentAttachment, :count).by(1) + params = { file:, form_id: '21P-527EZ' } + expect do + post('/v0/claim_documents', params:) + end.to change(PersistentAttachment, :count).by(1) + end end end context 'with an invalid file' do - let(:file) do - fixture_file_upload('empty_file.txt', 'text/plain') - end + let(:file) { fixture_file_upload('empty-file.jpg') } it 'does not upload the file' do - params = { file:, form_id: '21P-527EZ' } - expect do - post('/v0/claim_attachments', params:) - end.not_to change(PersistentAttachment, :count) - expect(response).to have_http_status(:unprocessable_entity) - resp = JSON.parse(response.body) - expect(resp['errors'][0]['title']).to eq('File size must not be less than 1.0 KB') + VCR.use_cassette('uploads/validate_document') do + params = { file:, form_id: '21P-527EZ' } + expect do + post('/v0/claim_attachments', params:) + end.not_to change(PersistentAttachment, :count) + expect(response).to have_http_status(:unprocessable_entity) + resp = JSON.parse(response.body) + expect(resp['errors'][0]['detail']).to eq('File size must not be less than 1.0 KB') + end end it 'logs the error' do - expect(Rails.logger).to receive(:info).with('Creating PersistentAttachment FormID=21P-527EZ') - expect(Rails.logger).not_to receive(:info).with( - /^Success creating PersistentAttachment FormID=21P-527EZ AttachmentID=\d+/ - ) - expect(Rails.logger).to receive(:error).with( - 'Error creating PersistentAttachment FormID=21P-527EZ AttachmentID= Common::Exceptions::ValidationErrors' - ) + VCR.use_cassette('uploads/validate_document') do + expect(Rails.logger).to receive(:info).with('Creating PersistentAttachment FormID=21P-527EZ', + hash_including(user_account_uuid: nil, + statsd: 'api.claim_documents.attempt')) + expect(Rails.logger).not_to receive(:info).with( + /^Success creating PersistentAttachment FormID=21P-527EZ AttachmentID=\d+/ + ) + expect(Rails.logger).to receive(:error).with( + 'Error creating PersistentAttachment FormID=21P-527EZ AttachmentID= Common::Exceptions::UnprocessableEntity', + instance_of(Hash) + ) - params = { file:, form_id: '21P-527EZ' } - post('/v0/claim_attachments', params:) + params = { file:, form_id: '21P-527EZ' } + post('/v0/claim_attachments', params:) + end end end @@ -88,9 +99,11 @@ end it 'does not raise an error when password is correct' do - params = { file:, form_id: '26-1880', password: 'test' } - post('/v0/claim_attachments', params:) - expect(response).to have_http_status(:ok) + VCR.use_cassette('uploads/validate_document') do + params = { file:, form_id: '26-1880', password: 'test' } + post('/v0/claim_attachments', params:) + expect(response).to have_http_status(:ok) + end end it 'raises an error when password is incorrect' do diff --git a/spec/support/vcr_cassettes/uploads/validate_document.yml b/spec/support/vcr_cassettes/uploads/validate_document.yml new file mode 100644 index 00000000000..cf4ca401aa8 --- /dev/null +++ b/spec/support/vcr_cassettes/uploads/validate_document.yml @@ -0,0 +1,49 @@ +--- +http_interactions: +- request: + method: post + uri: "/services/vba_documents/v1/uploads/validate_document" + body: + encoding: ASCII-8BIT + string: !binary |- +  + headers: + Accept: + - application/json + Content-Type: + - application/pdf + User-Agent: + - Vets.gov Agent + Apikey: + - fake_api_key + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + response: + status: + code: 200 + message: OK + headers: + Date: + - Tue, 03 Dec 2024 17:51:46 GMT + Content-Type: + - application/json; charset=utf-8 + Content-Length: + - '52' + Connection: + - keep-alive + Access-Control-Allow-Origin: + - "*" + Cache-Control: + - '' + Strict-Transport-Security: + - max-age=31536000; includeSubDomains; preload + X-Frame-Options: + - SAMEORIGIN + body: + encoding: UTF-8 + string: |- + { + "message":"Invalid authentication credentials" + } + recorded_at: Tue, 03 Dec 2024 17:51:46 GMT +recorded_with: VCR 6.3.1