app/notify_client/__init__.py

from flask import abort, has_request_context, request
from flask_login import current_user
from notifications_python_client import __version__
from notifications_python_client.base import BaseAPIClient
from notifications_utils.clients.redis import RequestCache

from app.extensions import redis_client

cache = RequestCache(redis_client)


def _attach_current_user(data):
    return dict(
        created_by=current_user.id,
        **data
    )


class NotifyAdminAPIClient(BaseAPIClient):

    def __init__(self):
        super().__init__("a" * 73, "b")

    def init_app(self, app):
        self.base_url = app.config['API_HOST_NAME']
        self.service_id = app.config['ADMIN_CLIENT_USER_NAME']
        self.api_key = app.config['ADMIN_CLIENT_SECRET']
        self.route_secret = app.config['ROUTE_SECRET_KEY_1']

    def generate_headers(self, api_token):
        headers = {
            "Content-type": "application/json",
            "Authorization": "Bearer {}".format(api_token),
            "X-Custom-Forwarder": self.route_secret,
            "User-agent": "NOTIFY-API-PYTHON-CLIENT/{}".format(__version__)
        }
        return self._add_request_id_header(headers)

    @staticmethod
    def _add_request_id_header(headers):
        if not has_request_context():
            return headers
        headers['X-B3-TraceId'] = request.request_id
        headers['X-B3-SpanId'] = request.span_id
        return headers

    def check_inactive_service(self):
        # this file is imported in app/__init__.py before current_service is initialised, so need to import later
        # to prevent cyclical imports
        from app import current_service

        # if the current service is inactive and the user isn't a platform admin, we should block them from making any
        # stateful modifications to that service
        if current_service and not current_service.active and not current_user.platform_admin:
            abort(403)

    def post(self, *args, **kwargs):
        self.check_inactive_service()
        return super().post(*args, **kwargs)

    def put(self, *args, **kwargs):
        self.check_inactive_service()
        return super().put(*args, **kwargs)

    def delete(self, *args, **kwargs):
        self.check_inactive_service()
        return super().delete(*args, **kwargs)


class InviteTokenError(Exception):
    pass
Run isort 2019-03-25 10:25:05 +00:00			`from flask import abort, has_request_context, request`
Send an email to the user when they change email address This PR changes the flow to change an email address. Once the user enter their password, they are told "Check your email". An email has been sent to them containing a link to notify which contains an encrypted token. The encrypted token contains the user id and new email address. Once the link is clicked the user's email address is updated to the new email address. They are redirected to the /user-profile page. Also in this commit is an update from flask.ext.login to flask_login. 2016-10-13 17:05:37 +01:00			`from flask_login import current_user`
fix notifications-python-client version import 2017-12-28 10:05:54 +00:00			`from notifications_python_client import __version__`
Run isort 2019-03-25 10:25:05 +00:00			`from notifications_python_client.base import BaseAPIClient`
Import request cache from utils We’ve making the request cache shared code now so we can remove it from this app and refer to the version in utils instead. Delete unused module 2020-06-22 09:39:32 +01:00			`from notifications_utils.clients.redis import RequestCache`

			`from app.extensions import redis_client`

			`cache = RequestCache(redis_client)`
Add created_by to all appropriate requests. 2016-04-15 11:08:19 +01:00

			`def _attach_current_user(data):`
Make `_attach_current_user` a pure function Mutating dictionaries is gross and doesn’t work as you’d expect. Better to have the function return a new dictionary instead. Means we can be explicit that `created_by` is one of the allowed params when updating a service. 2016-08-11 14:20:43 +01:00			`return dict(`
			`created_by=current_user.id,`
			`**data`
			`)`
Override the BaseAPI Client - This allows us to set a custom header for admin calls only (not needed in client calls) - Adds request-id from Middleware to the API call to ensure the API logs against the same request ID. 2016-11-30 17:00:42 +00:00

			`class NotifyAdminAPIClient(BaseAPIClient):`
Add Redis cache between admin and API Most of the time spent by the admin app to generate a page is spent waiting for the API. This is slow for three reasons: 1. Talking to the API means going out to the internet, then through nginx, the Flask app, SQLAlchemy, down to the database, and then serialising the result to JSON and making it into a HTTP response 2. Each call to the API is synchronous, therefore if a page needs 3 API calls to render then the second API call won’t be made until the first has finished, and the third won’t start until the second has finished 3. Every request for a service page in the admin app makes a minimum of two requests to the API (`GET /service/…` and `GET /user/…`) Hitting the database will always be the slowest part of an app like Notify. But this slowness is exacerbated by 2. and 3. Conversely every speedup made to 1. is multiplied by 2. and 3. So this pull request aims to make 1. a _lot_ faster by taking nginx, Flask, SQLAlchemy and the database out of the equation. It replaces them with Redis, which as an in-memory key/value store is a lot faster than Postgres. There is still the overhead of going across the network to talk to Redis, but the net improvement is vast. This commit only caches the `GET /service` response, but is written in such a way that we can easily expand to caching other responses down the line. The tradeoff here is that our code is more complex, and we risk introducing edge cases where a cache becomes stale. The mitigations against this are: - invalidating all caches after 24h so a stale cache doesn’t remain around indefinitely - being careful when we add new stuff to the service response --- Some indicative numbers, based on: - `GET http://localhost:6012/services/<service_id>/template/<template_id>` - with the admin app running locally - talking to Redis running locally - also talking to the API running locally, itself talking to a local Postgres instance - times measured with Chrome web inspector, average of 10 requests ╲ \| No cache \| Cache service \| Cache service and user \| Cache service, user and template -- \| -- \| -- \| -- \| -- Request time \| 136ms \| 97ms \| 73ms \| 37ms Improvement \| 0% \| 41% \| 88% \| 265% --- Estimates of how much storage this requires: - Services: 1,942 on production × 2kb = 4Mb - Users: 4,534 on production × 2kb = 9Mb - Templates: 7,079 on production × 4kb = 28Mb 2018-04-06 13:37:49 +01:00
Inherit don’t duplicate API client constructor This removes some code which is duplicative and obscure (ie it’s not very clear why we do `"a" * 73` even though there is a Very Good Reason for doing so). 2019-01-29 11:12:33 +00:00			`def __init__(self):`
			`super().__init__("a" * 73, "b")`

Add route secret key header to the API requests Currently requests to the API made from the admin app are going from PaaS admin app to the nginx router ELB, which then routes them back to the api app on PaaS. This makes sense for external requests, but for requests made from the admin app we could skip nginx and go directly to the api PaaS host, which should reduce load on the nginx instances and potentially reduce latency of the api requests. API apps on PaaS are checking the X-Custom-Forwarder header (which is set by nginx on proxy_pass requests) to only allow requests going through the proxy. This adds the custom header to the API client requests, so that they can pass that header check without going through nginx. 2018-02-09 15:03:32 +00:00			`def init_app(self, app):`
			`self.base_url = app.config['API_HOST_NAME']`
			`self.service_id = app.config['ADMIN_CLIENT_USER_NAME']`
			`self.api_key = app.config['ADMIN_CLIENT_SECRET']`
			`self.route_secret = app.config['ROUTE_SECRET_KEY_1']`

Override the BaseAPI Client - This allows us to set a custom header for admin calls only (not needed in client calls) - Adds request-id from Middleware to the API call to ensure the API logs against the same request ID. 2016-11-30 17:00:42 +00:00			`def generate_headers(self, api_token):`
			`headers = {`
			`"Content-type": "application/json",`
			`"Authorization": "Bearer {}".format(api_token),`
Add route secret key header to the API requests Currently requests to the API made from the admin app are going from PaaS admin app to the nginx router ELB, which then routes them back to the api app on PaaS. This makes sense for external requests, but for requests made from the admin app we could skip nginx and go directly to the api PaaS host, which should reduce load on the nginx instances and potentially reduce latency of the api requests. API apps on PaaS are checking the X-Custom-Forwarder header (which is set by nginx on proxy_pass requests) to only allow requests going through the proxy. This adds the custom header to the API client requests, so that they can pass that header check without going through nginx. 2018-02-09 15:03:32 +00:00			`"X-Custom-Forwarder": self.route_secret,`
Override the BaseAPI Client - This allows us to set a custom header for admin calls only (not needed in client calls) - Adds request-id from Middleware to the API call to ensure the API logs against the same request ID. 2016-11-30 17:00:42 +00:00			`"User-agent": "NOTIFY-API-PYTHON-CLIENT/{}".format(__version__)`
			`}`
			`return self._add_request_id_header(headers)`

			`@staticmethod`
			`def _add_request_id_header(headers):`
			`if not has_request_context():`
			`return headers`
Use the zipkin headers from utils version 30.0.0 2018-08-14 12:00:23 +01:00			`headers['X-B3-TraceId'] = request.request_id`
Both trace_id and span_id headers must be present 2018-08-14 18:12:06 +01:00			`headers['X-B3-SpanId'] = request.span_id`
Override the BaseAPI Client - This allows us to set a custom header for admin calls only (not needed in client calls) - Adds request-id from Middleware to the API call to ensure the API logs against the same request ID. 2016-11-30 17:00:42 +00:00			`return headers`
block inactive services from making stateful changes in the NotifyAdminAPIClient, which all api traffic goes through, return 403 for any stateful requests (post, put and delete), if the following criteria have been met: * a current_service is set (this prevents checks being carried out on non-service related updates, eg editing user details) * the service is not active * the current user is not a platform admin so platform admins can still update anything. Note: Without any specific error handling, the user will see a generic 403 page. This is fine, probably - it's a relatively niche case that you'll be editing a service you can't get to anyway 2016-12-09 15:44:58 +00:00
			`def check_inactive_service(self):`
			`# this file is imported in app/__init__.py before current_service is initialised, so need to import later`
			`# to prevent cyclical imports`
			`from app import current_service`

			`# if the current service is inactive and the user isn't a platform admin, we should block them from making any`
			`# stateful modifications to that service`
Use service model to look up service attributes This is better than just keying into the JSON because it means you get an exception straight away when looking up a key that doesn’t exist (which via mocking you could ordinarily miss). 2018-07-20 08:42:01 +01:00			`if current_service and not current_service.active and not current_user.platform_admin:`
block inactive services from making stateful changes in the NotifyAdminAPIClient, which all api traffic goes through, return 403 for any stateful requests (post, put and delete), if the following criteria have been met: * a current_service is set (this prevents checks being carried out on non-service related updates, eg editing user details) * the service is not active * the current user is not a platform admin so platform admins can still update anything. Note: Without any specific error handling, the user will see a generic 403 page. This is fine, probably - it's a relatively niche case that you'll be editing a service you can't get to anyway 2016-12-09 15:44:58 +00:00			`abort(403)`

			`def post(self, args, *kwargs):`
			`self.check_inactive_service()`
			`return super().post(args, *kwargs)`

			`def put(self, args, *kwargs):`
			`self.check_inactive_service()`
			`return super().put(args, *kwargs)`

			`def delete(self, args, *kwargs):`
			`self.check_inactive_service()`
			`return super().delete(args, *kwargs)`
Make user API client return JSON, not a model The data flow of other bits of our application looks like this: ``` API (returns JSON) ⬇ API client (returns a built in type, usually `dict`) ⬇ Model (returns an instance, eg of type `Service`) ⬇ View (returns HTML) ``` The user API client was architected weirdly, in that it returned a model directly, like this: ``` API (returns JSON) ⬇ API client (returns a model, of type `User`, `InvitedUser`, etc) ⬇ View (returns HTML) ``` This mixing of different layers of the application is bad because it makes it hard to write model code that doesn’t have circular dependencies. As our application gets more complicated we will be relying more on models to manage this complexity, so we should make it easy, not hard to write them. It also means that most of our mocking was of the User model, not just the underlying JSON. So it would have been easy to introduce subtle bugs to the user model, because it wasn’t being comprehensively tested. A lot of the changed lines of code in this commit mean changing the tests to mock only the JSON, which means that the model layer gets implicitly tested. For those reasons this commit changes the user API client to return JSON, not an instance of `User` or other models. 2019-05-23 15:27:35 +01:00

			`class InviteTokenError(Exception):`
			`pass`