Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API-34434 Reject non-gateway requests to some APIs #15751

Merged
merged 1 commit into from
Mar 11, 2024
Merged

API-34434 Reject non-gateway requests to some APIs #15751

merged 1 commit into from
Mar 11, 2024

Conversation

caseywilliams
Copy link
Contributor

@caseywilliams caseywilliams commented Mar 1, 2024
edited
Loading

Summary

Updates APIs in the appeals_api, va_forms, and vba_documents modules so that they return an Unauthorized error if the request did not come through the gateway (only applies in production mode)

Related issue(s)

Testing done

  • New code is covered by unit tests
  • Describe what the old behavior was prior to the change
  • Describe the steps required to verify your changes are working as expected. Exclusively stating 'Specs run' is NOT acceptable as appropriate testing
  • If this work is behind a flipper:
    • Tests need to be written for both the flipper on and flipper off scenarios. Docs.
    • What is the testing plan for rolling out the feature?

What areas of the site does it impact?

  • All endpoints in the modules listed above which inherit from their local ApplicationControllers are affected

Acceptance criteria

  • I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • No error nor warning in the console.
  • Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • Feature/bug has a monitor built into Datadog or Grafana (if applicable)
  • If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected
  • I added a screenshot of the developed feature

@caseywilliams caseywilliams added Lighthouse lighthouse appeals Lighthouse API appeals banana-peels Lighthouse Banana Peels Team labels Mar 1, 2024
@caseywilliams caseywilliams requested a review from a team as a code owner March 1, 2024 01:28
@va-vfs-bot va-vfs-bot temporarily deployed to API-34434/block-non-gateway-reqs/main/main March 1, 2024 01:33 Inactive
@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch 2 times, most recently from 80bf091 to ec7f286 Compare March 1, 2024 17:01
@va-vfs-bot va-vfs-bot temporarily deployed to API-34434/block-non-gateway-reqs/main/main March 1, 2024 17:49 Inactive
@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch from ec7f286 to 6da7609 Compare March 1, 2024 18:05
@va-vfs-bot va-vfs-bot temporarily deployed to API-34434/block-non-gateway-reqs/main/main March 1, 2024 19:21 Inactive
kristen-brown
kristen-brown reviewed Mar 4, 2024
View reviewed changes
modules/appeals_api/app/controllers/appeals_api/application_controller.rb
# In deployed environments, the `source` parameter is filled in by the gateway - we only
# want to accept requests that come through the gateway:
raise Common::Exceptions::Unauthorized if Rails.env.production? && params[:source].blank?
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code looks good at first glance, but have you confirmed that we definitely receive a source parameter? I checked our controller logs in Datadog and didn't see it listed alongside our params like id, icn, receiptDate, etc., which concerned me. Is it there but just being excluded from our logs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cilestin told me that the source parameter is added automatically by Kong, but I don't know how to confirm that for sure

Copy link
Contributor

@cilestin cilestin Mar 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@caseywilliams Let's put this behind a feature flag so that we can change it live should things go wonky. Default to false and we can turn it on in different envs to ensure Prod isn't affected until we've tested it.

@caseywilliams caseywilliams requested a review from cilestin March 4, 2024 18:10
@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch from 6da7609 to 8f63b84 Compare March 4, 2024 18:56
cilestin
cilestin requested changes Mar 4, 2024
View reviewed changes
modules/appeals_api/app/controllers/appeals_api/application_controller.rb
# In deployed environments, the `source` parameter is filled in by the gateway - we only
# want to accept requests that come through the gateway:
raise Common::Exceptions::Unauthorized if Rails.env.production? && params[:source].blank?
end
Copy link
Contributor

@cilestin cilestin Mar 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@caseywilliams Let's put this behind a feature flag so that we can change it live should things go wonky. Default to false and we can turn it on in different envs to ensure Prod isn't affected until we've tested it.

@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch from 8f63b84 to b1829d7 Compare March 5, 2024 23:39
@caseywilliams caseywilliams requested review from a team as code owners March 5, 2024 23:39
@caseywilliams caseywilliams requested a review from cilestin March 5, 2024 23:49
@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch from b1829d7 to b462e3b Compare March 6, 2024 00:49
@caseywilliams caseywilliams force-pushed the API-34434/block-non-gateway-reqs branch from b462e3b to b4c53ba Compare March 6, 2024 01:02
@va-vfs-bot va-vfs-bot temporarily deployed to API-34434/block-non-gateway-reqs/main/main March 7, 2024 01:05 Inactive
@caseywilliams caseywilliams merged commit b561f07 into master Mar 11, 2024
20 checks passed
@caseywilliams caseywilliams deleted the API-34434/block-non-gateway-reqs branch March 11, 2024 20:29
@caseywilliams caseywilliams mentioned this pull request Mar 15, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kristen-brown kristen-brown kristen-brown left review comments

@cilestin cilestin cilestin approved these changes

Assignees
No one assigned
Labels
appeals Lighthouse API appeals banana-peels Lighthouse Banana Peels Team Lighthouse lighthouse
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@caseywilliams @cilestin @kristen-brown @va-vfs-bot